Companion Document

Companion Document
 Table of Contents

Chapter 1 Process: Management.......................................................................... 3

Chapter 2 Process: Device Marketing Authorization and Facility Registration.... 13

Chapter 3 Process: Measurement, Analysis and Improvement ........................... 21

Chapter 4 Process: Medical Device Adverse Events and

Advisory Notices Reporting ............................................................................... 36

Chapter 5 Process: Design and Development ..................................................... 43

Chapter 6 Process: Production and Service Controls ......................................... 59

Chapter 7 Process: Purchasing .......................................................................... 84

2 Companion Document
 Medical Device Single Audit Program
Chapter 1
Process: Management
The intent of the Management process is to provide adequate resources for device design,
manufacturing, quality assurance, distribution, installation, and servicing activities; to assure the
quality management system is functioning properly and effectively; and to monitor the quality
management system and make necessary adjustments. A quality management system that has been
implemented effectively and is monitored to identify and address existing and potential problems is
more likely to produce medical devices that function as intended.
The management representative is responsible for ensuring that the requirements of the quality
management system have been effectively defined, documented, implemented, and maintained. Prior
to the review of any process, interview the management representative (or designee) to obtain an
overview of the process and a feel for management’s knowledge and understanding of the process.
The Management process is the first process to be audited per the MDSAP audit sequence.
Auditing the Management Process
Purpose: The purpose of auditing the Management process is to verify that top management
ensures that an adequate and effective quality management system has been established and
maintained. The audit should commence and end with the management process.
Outcomes: As a result of the audit of the Management process, objective evidence will show
whether the organization has:
A) Identified processes needed for the quality management system, their application throughout the
organization, and their sequence and interaction
B) Defined, documented, and implemented procedures and instructions to ensure the development and
maintenance of an effective quality management system
C) Established quality objectives at relevant functions and levels within the organization consistent with
the quality policy and ensured that these are periodically reviewed for continued suitability
D) Determined the criteria and methods needed to ensure the operation and control of quality
management system processes, including the identification and management of interrelated processes
E) Committed the appropriate personnel and resources for infrastructure to the quality management
system
F) Assigned responsibility and authority to personnel and established the organizational structure to
ensure processes assuring quality are not compromised
G) Performed risk management planning and ongoing review of the effectiveness of risk management
activities to ensure that policies, procedures and practices are established for analyzing, evaluating and
controlling risk
H) Ensured the continued effectiveness of the quality management system and its processes
I.) Established a quality management system which is capable of producing devices that are safe,
effective and suitable for their intended use

Companion Document 3
Links to Other Processes: Measurement, Analysis and Improvement; Design and Development;
Purchasing; Production and Service Controls; Device Marketing Authorization and Facility
Registration

Audit Tasks and Links to Other Processes:

1. Verify that a quality manual, management review, and quality management system
procedures and instructions have been defined and documented.
Clause and Regulation: [ISO 13485:2003: 4.1, 4.2.1, 4.2.2, 5.4.2; TG(MD)R Sch3 P1 1.4(4); RDC ANVISA 16/2013:
2.1, 2.2.1, 2.2.6; 21 CFR 820.20]

Additional country-specific requirements:

United States (FDA):

Confirm the organization has established a quality plan which defines the quality practices, resources, and
activities relevant to devices that are designed and manufactured [21 CFR 820.20(d)].

Assessing conformity:

Quality management system

Manufacturers of medical devices are required to establish a quality management system
(including quality system procedures and instructions) that is tailored to the medical devices
they are manufacturing or designing. The manufacturer’s quality management system must
properly implement all applicable requirements of Medical devices – Quality management
systems – Requirements for regulatory purposes (ISO 13485:2003), Brazilian Good Manufacturing
Practices (RDC ANVISA 16/2013), the Quality System Regulation (21 CFR Part 820) and specific
requirements of medical device regulatory authorities participating in the MDSAP program, as
well as other necessary controls to assure its finished devices, the design and manufacturing
processes, and all related activities conform to approved specifications.
Quality system procedures and instructions
The organization may refer to these as Level 1 documents. They are typically high-level, non-
product and non-process specific documents and can usually be found in the Quality Manual.
These procedures and instructions may contain information on the sequence and interaction of
various quality management system processes. The Quality Manual is to outline the structure of
the documentation and to describe the interaction of processes (e.g. the processes for identifying
nonconformities and corrections and the processes for investigating nonconformities to determine
root cause and corrective actions).
Management review procedures
Management reviews are one of the basic tenants of a good quality management system. It is
important that the organization establish procedures for conducting management reviews.
Quality plan
The Quality System Regulation (21 CFR 820) requires that the organization establish a quality
plan(s). A quality plan should include quality practices, resources, and activities relevant to the
medical devices being designed and manufactured. It must be specifically relevant to devices.

4 Companion Document
 Elements of the quality plan are typically found in the organization’s quality management system
documentation (e.g., the Quality Manual, records, production procedures, quality system
procedures, measurement, analysis and improvement procedures, and design and development
procedures). A quality plan may be specific to one device or specific to overall systems. In effect,
the quality plan serves as a roadmap of the quality management system. The plan can reference
the applicable quality management system documents and indicate how they apply to the device
that is the subject of the plan.
2. Confirm top management has documented the appointment of a management
representative. Verify the responsibilities of the management representative include
ensuring that quality management system requirements are effectively established
and maintained, reporting to top management on the performance of the quality
management system, and ensuring the promotion of awareness of regulatory
requirements throughout the organization.
Clause and Regulation: [ISO 13485:2003: 5.5.2; TG(MD)R Sch3 P1 1.4(5)(b); RDC ANVISA 16/2013: 2.2.5; 21 CFR
820.20(b)]

Additional country-specific requirements: None

Assessing conformity:

Management representative
It is important to confirm that top management has appointed a management representative and
that the responsibilities and authorities of the management representative have been defined,
documented, and implemented. The appointment of the management representative must be
documented.
Confirm appointment
The organization may document the appointment of a management representative in an
organizational chart, Quality Manual, memorandum to file, position description, or other
appropriate manner. The appointment of the management representative may be made by name
or title.
Evaluate responsibility and authority
Confirm that the management representative has established responsibility and authority for
ensuring that the quality management system is effectively defined, documented, implemented,
and maintained. The management representative must also have established responsibility
and authority for reporting to top management on the performance of the quality management
system. Confirmation can be accomplished by interviewing the management representative and
top management and reviewing the Quality Manual, the management representative’s position
description, or similar documents.
Other examples
Additional examples of evidence of the management representative’s responsibilities and
authorities may include:
• Sign-off authority for changes to procedures, processes, designs, etc.
• Authority to act on behalf of top management during the audit

Companion Document 5
 • Authority to place products or processes on hold
• Responsibility for managing quality audit functions
• Responsibility for contributing to corrective and preventive action activities, complaint handling,
and the handling of nonconforming product, etc.
Training
Where the activities performed personally by the management representative result in a
determination of whether product meets requirements, including regulatory requirements, the
management representative must be competent to perform such activities. In such cases, verify
that training and experience includes the relevant regulatory requirements.
3. Verify that a quality policy and objectives have been set at relevant functions and levels
within the organization. Ensure the quality objectives are measurable and consistent
with the quality policy. Confirm appropriate measures are taken to achieve the quality
objectives.
Clause and Regulation: [ISO 13485:2003: 5.3, 5.4.1; TG(MD)R Sch3 P1 1.4(5)(a); RDC ANVISA 16/2013: 2.2.1; 21
CFR 820.20(a)]

Additional country-specific requirements: None

Assessing conformity:

Quality policy
A quality policy is comprised of one or more statements of the organization’s intentions and
direction with respect to quality. Top management must establish the quality policy and ensure
quality objectives are established that are consistent with the quality policy. Top management
must ensure that the quality policy is understood and communicated at all levels of the
organization. An assessment of whether the organization’s quality system is satisfying the
established quality policy and objectives should be a topic addressed during management
reviews.
Quality objectives
An effective way of determining whether quality objectives have been implemented is to ask for
examples of quality objectives and the status of these objectives. Typically, a quality objective is
expressed as a measurable target or goal. An example of an organization’s quality objective could
be “to have all essential components meet specifications at a defined reliability rate or better.”
To accomplish this objective, the organization will have to identify, evaluate, and approve reliable
suppliers or bring the manufacturing of that component in-house.
4. Review the manufacturer’s organizational structure and related documents to verify
that they include provisions for responsibilities, authorities (e.g., management
representative), personnel, resources for infrastructure, competencies, and training
to ensure that personnel have the necessary competence to design and manufacture
devices in accordance with the planned arrangements and applicable regulatory
requirements.
Clause and Regulation: [ISO 13485:2003: 5.1, 5.5.1, 5.5.2, 6.1, 6.2; TG(MD)R Sch3 P1 1.4(5)(b)(ii); RDC ANVISA
16/2013: 2.2.2, 2.2.3. 2.2.4, 2.3; 21 CFR 820.20(b), 820.25]

6 Companion Document
 Additional country-specific requirements: None

Assessing conformity:

Responsibility and authority

Methods for completing this audit task include reviewing the organizational chart(s) and
asking authority and responsibility questions. The responsibilities and authorities of various
individuals within the organization are also typically described within the Quality Manual, position
descriptions, and job postings.
Resources
Top management is responsible for ensuring that resources necessary to maintain an effective
quality management system are provided. Resources include money, equipment, supplies, and
personnel. One method for confirming that adequate resources are made available is to ask the
management representative to provide several examples of recent requests for different types of
resources and describe the outcomes of these requests.
5. Determine the extent of outsourcing of processes that may affect the conformity of
product with specified requirements and verify the proper documentation of controls in
the quality management system.
Clause and Regulation: [ISO 13485:2003: 4.1, 4.2.1; RDC ANVISA 16/2013: 2.5; 21 CFR 820.50]

Additional country-specific requirements:

Australia (TGA):

If an Australian Sponsor undertakes an activity that is preferred by the manufacturer, or required, to be

under the control of the manufacturer, verify that the roles and responsibilities of the Australian Sponsor
are documented in the manufacturer’s quality management system and that the Sponsor is qualified and
controlled as a supplier. For example, but not limited to; a labeling activity to ensure that the name and
address of the Australian Sponsor accompanies the device [TG(MD)R Reg 10.2], the installation of a device,
or the servicing of a device.

Canada (HC):

Verify that the roles and responsibilities of any regulatory correspondents, importers, distributors, or providers
of a service are clearly documented in the organization’s quality management system and are qualified as
suppliers and controlled.

Assessing conformity:

Outsourcing
Most organizations outsource at least some products (including services) that affect the ability
of the medical device to conform to specified requirements. Some organizations outsource the
majority of products. During interview of the management representative, ascertain the extent to
which the organization outsources processes essential for the proper functioning of the finished
medical device. Process performance and product conformity, including the performance of
supplied product, must be included in management review. The organization must ensure
control over outsourced products and processes that affect product conformance with specified
requirements.

Companion Document 7
 Link: Purchasing
During audit of the organization’s Purchasing process, ensure that management has assured the
appropriate level of control over suppliers, including an assessment of the relationship between
supplied products and product risk.

6. Confirm the organization has determined the necessary competencies for personnel
performing work affecting product quality, provided appropriate training, and made
personnel aware of the relevance and importance of their activities on product quality
and achievement of the quality objectives. Ensure records of training and competencies
are maintained.
Clause and Regulation: [ISO 13485:2003: 4.2.1, 6.2.2; RDC ANVISA 16/2013: 2.2.3, 2.2.4, 2.3; 21 CFR 820.25]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that the manufacturer ensures that any consultant who gives advice regarding design, purchasing,
manufacturing, packaging, labeling, storage, installation, or servicing of medical devices has proper
qualification to perform such tasks. Those consultants shall be contracted as a formal service supplier,
according to purchasing controls defined by the manufacturer [RDC ANVISA 16/2013: 2.3.3].

United States (FDA):

Verify that resources include the assignment of trained personnel to meet the requirements of 21 CFR Part
820, including management, performance of work, assessment activities, and internal quality audits [21 CFR
820.20(b)(2)].

Assessing conformity:

Training
A review of employee training records can be performed to ensure that employees have been
trained regarding the organization’s quality policy and objectives. In particular, this should be done
for employees involved in key operations that affect product realization and product quality.

Link: Production and Service Controls

During the audit of the Production and Service Controls process, ensure that employees who
are involved in key operations that affect product realization and product quality have been
trained in their specific job tasks, as well as the quality policy and objectives. When appropriate,
review the training records for those employees whose activities have contributed to process
nonconformities.

7. Verify that management has committed to and has responsibility for overall risk management planning,
including ongoing review of the effectiveness of risk management activities ensuring that policies,
procedures and practices are established and documented for analyzing, evaluating and controlling product
risk throughout product realization.
Clause and Regulation: [ISO 13485:2003: 7.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4; 21 CFR 820.30(g)]

Additional country-specific requirements: None

Assessing conformity:

8 Companion Document
 Commitment to risk management
Confirm that top management has shown commitment to the risk management process by
ensuring the provision of adequate resources and the assignment of qualified personnel for risk
management activities. Risk-based decisions occur throughout the various quality management
system processes. Top management is responsible for defining and documenting the policy
for determining criteria for risk acceptability. Additionally, ensure top management reviews the
suitability of the risk management process. This review may be part of the management review.
Previously unidentified risks discovered during the production and post-production of the medical
device may indicate a need to improve the risk management process. Each organization must
decide how much risk is acceptable.
When appropriate, assess the role of top management when risk-based decisions are made that
appear to justify levels of risk that do not meet the organization’s previously established risk-
acceptance criteria.

Link: Design and Development

Risk management usually starts in conjunction with the design and development planning
process at a point in the development when the results of risk analysis can affect the design
process. During audit of the Design and Development process, evaluate top management’s
commitment to risk management activities. Evidence of commitment to risk management may
include the implementation of new or more stringent controls, external controls (e.g. additional
supplier-related controls), or design changes to maintain an acceptable level of product risk.

8. Verify that procedures have been defined, documented, and implemented for the control
of documents and records required by the quality management system. Confirm the
organization retains records and at least one obsolete copy of controlled documents for
a period of time at least equivalent to the lifetime of the device, but not less than two
years from the date of product release.
Clause and Regulation: [ISO 13485:2003: 4.2.1, 4.2.3, 4.2.4; RDC ANVISA 16/2013: 3.1; 21 CFR 820.40, 820.180]

Additional country-specific requirements:

Australia (TGA):

Confirm that Quality Management System documentation and records in relation to a device are retained by
the manufacturer for at least 5 years [TG(MD)R Sch3 P1 1.9].

Brazil (ANVISA):

Verify that change records include a description of the change, identification of the affected documents, the
signature of the approving individual(s), the approval date, and when the change becomes effective [RDC
ANVISA 16/2013: 3.1.5].

Confirm that the manufacturer maintains a master list of the approved and effective documents [RDC
ANVISA 16/2013: 3.1.5].

Verify that electronic records and documents have backups [RDC ANVISA 16/2013: 3.1.6].

United States (FDA):

Companion Document 9
 Confirm that approved changes to documents are communicated to the appropriate personnel in a timely
manner [21 CFR 820.40(b)].

Assessing conformity:

Implementation of document and records procedures

Confirm that the organization has defined, documented, and implemented procedures for control
of quality management system documents and records. Evidence that these controls are effective
can be ascertained through the audit of the other quality management system processes. For
example, evidence that the document controls process is ineffective might be the observation of
obsolete procedures being used or required records being unavailable.
Ensure at least one copy of obsolete controlled documents is maintained.
9. Verify that management reviews are being conducted at planned intervals and that
they include a review of the suitability and effectiveness of the quality policy, quality
objectives, and quality management system to assure that the quality management
system meets all applicable regulatory requirements.
Clause and Regulation: [ISO 13485:2003: 5.6; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 2.2.6; 21 CFR
820.20(c)]

Additional country-specific requirements: None

Assessing conformity:

Verify implementation of management review procedures

It is important to verify that the organization has implemented effective management review
procedures. Top management must review the suitability, adequacy and effectiveness of the
organization’s quality management system at defined intervals and with sufficient frequency to
ensure that the quality management system satisfies applicable requirements of Medical devices –
Quality management systems – Requirements for regulatory purposes (ISO 13485:2003), Brazilian
Good Manufacturing Practices (RDC ANVISA 16/2013), the Quality System Regulation (21 CFR
Part 820) and specific requirements of medical device regulatory authorities participating in the
MDSAP program, in addition to the organization’s own established quality policy and objectives.
The dates and results of the management reviews must be documented. These documentation
requirements must be included in the management review procedure.
Other requirements commonly seen in management review procedures include a fixed agenda
of topics to be discussed (with flexibility for unique agenda items to be added), the necessary
attendees who are to participate in the management review, and how action items resulting from
the management review are to be addressed and input into the Measurement, Analysis and
Improvement process when necessary. Ensure that the quality policy and objectives have been
reviewed for continued suitability and that any changes to regulatory requirements have been
identified. Other inputs to management review include results of internal and external audits,
customer feedback, process performance and product conformity, status of preventive and
corrective actions, follow-up actions from previous management reviews, changes that could
affect the quality management system, and recommendations for improvement.
Link: Measurement, Analysis and Improvement
During audit of the Measurement, Analysis and Improvement process, confirm when necessary that
action items resulting from Management review are considered for corrective or preventive action.

10 Companion Document
10.Confirm that management has identified and ensured the applicable device marketing
authorization and facility registration processes have been followed and that
appropriate documents have been submitted to the applicable regulatory authorities in
the markets in which the devices are offered for commercial distribution.
Clause and Regulation: [ISO 13485:2003: 4.2.1, 7.2.1]

Additional country-specific requirements:

Australia (TGA):

Medical device market authorization, facility registration, and the submission of appropriate documentation
to the TGA, are responsibilities of the Australian Sponsor. Australian manufacturers are also, by definition,
Australian Sponsors.

For manufacturers located outside of Australia:

Confirm that the manufacturer is aware of the Australian Sponsor’s entries in the Australian Register of
Therapeutic Goods (ARTG).

Confirm that the manufacturer has a written agreement with the Australian Sponsor to ensure that
information about the compliance of a device included in the ARTG, with the Essential Principles through
the application of a relevant conformity assessment procedure, and information concerning adverse events,
advisory notices and recalls is readily available to the Sponsor or the TGA. The agreement must also require
the Australian Sponsor to provide the manufacturer with any information in relation to the manufacturer’s
obligations under the conformity assessment procedures and any information in relation to whether the
medical device complies with the Essential Principles [TG Act s41FD, s41FN(3)(e), TG(MD)R Sch3 P1
Cl1.4(3), Cl1.7].

Brazil (ANVISA):

For domestic manufacturers, confirm that the establishment has ANVISA’s authorization to manufacture
medical devices (AFE - Autorização de Funcionamento da Empresa). For domestic and international
manufacturers, verify that the products already distributed in the Brazilian market, are registered/notified with
ANVISA [Brazilian Federal Law 6360/76].

Canada (HC):

Verify that the manufacturer has defined, documented, and implemented processes to ensure that devices
are licensed prior to sale [CMDR Sections 26, 32, 34, 43].

Verify that the manufacturer has defined, documented and implemented processes to ensure that any new
or modified quality management system certificate issued to the manufacturer for regulatory purposes is
submitted to the Minister within 30 days after it is issued [CMDR Section 43.1].

United States (FDA):

Confirm the establishment is registered with FDA and devices marketed to the United States are listed.
Confirm the manufacturer has submitted a pre-market notification or approval (as applicable) to FDA prior to
marketing the device in the United States [21 CFR 807].

Assessing conformity:

Responsibilities and authorities of personnel

During audit of the Management process, ascertain the responsibilities and authorities of
employees responsible for ensuring proper registration, licensing, notification and listing
information is accurately submitted to regulatory authorities or authorized representatives
(e.g. Australian Sponsor) participating in the MDSAP. Confirm the appropriate information is
submitted to regulatory authorities or authorized representatives during the review of the Device

Companion Document 11
 Marketing Authorization and Facility Registration process. Preliminary review of Device Marketing
Authorization and Facility Registration can be made during audit of the Management process,
followed by comprehensive coverage for specific medical devices selected for review under the
Design and Development process.

Link: Device Marketing Authorization and Facility Registration

11.At the conclusion of the audit, a decision should be made as to whether top
management has demonstrated the necessary commitment to ensure a suitable and
effective quality management system is in place and being maintained and whether the
effectiveness of the system has been communicated to personnel.
Clause and Regulation: [ISO 13485:2003: 5.1, 5.5.3; RDC ANVISA 16/2013: 2.2.1; 21 CFR 820.20(a), 820.5]

Assessing conformity:

Audit the other processes

During the audit of the other MDSAP processes, the audit team will have the opportunity to assess
whether management is appropriately carrying out its responsibilities; whether the quality policy is
understood, implemented, and maintained at all levels of the organization; if the necessary resources
are being provided to maintain an effective quality management system; if the management
representative has the necessary responsibilities and authorities; the adequacy of the organizational
structure; and whether management reviews and quality audits are effective, etc.
Remember that a quality management system that has been implemented effectively, monitored
to identify and address existing and potential problems, and has an integrated risk management
process utilizing risk-based decision-making is more likely to produce medical devices that
function as intended.

12 Companion Document
 Medical Device Single Audit Program
Chapter 2
Process: Device Marketing Authorization and Facility Registration

The Device Marketing Authorization and Facility Registration process may be audited as a linkage
from the Management process and/or the Design and Development process.
Purpose: The purpose of auditing the Device Marketing Authorization and Facility Registration
process is to verify that the organization has performed the appropriate activities regarding device
marketing authorization and facility registration with regulatory authorities participating in the MDSAP.
Outcomes: As a result of the audit of the Device Marketing Authorization and Facility Registration
process, objective evidence will show whether the organization has:
A) Complied with requirements to register and/or license device facilities
B) Submitted device listing information to regulatory authorities when applicable
C) Obtained device marketing authorization in the appropriate jurisdictions
D) Arranged for assessment of changes (where applicable) and obtained marketing authorization
for changes to devices or the quality management system which require amendment to existing
marketing authorization

Links to Other Processes: Management, Design and Development

Audit Tasks and Links to Other Processes:

1. Verify the organization has complied with regulatory requirements to register and/or license
device facilities and submit device listing information in the appropriate jurisdictions where the
organization markets or distributes their devices.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.2.1; see the country-specific requirements below]

Country specific requirements:

Australia (TGA):

Manufacturer of a medical device is the person who is responsible for the design, production, packaging
and labeling of the device before it is supplied under the person’s name, whether or not it is the person, or
another person acting on the person’s behalf, who carries out those operations.

Australian importers (Sponsors) are required to include (register) medical devices from non-Australian
manufacturers in the Australian Register of Therapeutic Goods (ARTG). To assist the Australian sponsor,
non-Australian manufacturers must undertake the following tasks to demonstrate that they have met the
obligations on manufacturers who wish to supply to Australia;

- Classify the device using the Australian classification rules

- Identify an Australian conformity assessment procedure that is to be applied in accordance with the
classification of the device

- Obtain 3rd party assessment of their QMS and the device in accordance with the selected conformity
assessment procedure or an equivalent EU MDD, AIMD or IVDD procedure

Companion Document 13
 - Prepare an Australian Declaration of Conformity in accordance with the requirements of the
Conformity Assessment Procedure that has been applied [TG(MD)R Sch 3 P1 Cl1.8].

- Either provide to the Australian Sponsor, or enter into a written agreement with the Sponsor that
requires the manufacturer to provide to the Sponsor, or the TGA, on request;

o Evidence that their device complies with the Australian Essential Principles

o Evidence that the manufacturer has applied an Australian Conformity Assessment Procedure, or
equivalent MDD / AIMD / IVDD conformity assessment procedure.

o Information about reportable adverse events, advisory notices or recalls

o Permit the TGA to inspect the manufacturer’s premises at any reasonable time, to inspect
medical devices of any kind on those premises and to examine, take measurements of, conduct
tests on, require tests to be conducted on or take samples of medical devices of any kind on
those premises or any thing on those premises that relates to medical devices of any kind. While
on those premises, to make any still or moving image or any recording of those premises or any
thing on those premises; and

o If requested to do so by an authorized person, produce to the person such documents relating

to devices of the kind included in the Register as the person requires and allow the person to
copy the documents

o That the manufacturer will comply with any conditions imposed on the manufacture of devices

o That the Sponsor provide the manufacturer with information in relation to the manufacturer’s
obligations under a conformity assessment procedure and information in relation to whether the
devices comply with the Essential Principles [TG Act 41FN(3)(e)].

Refer to:

- Therapeutic Goods Act 1989

o Part 4-2 – Essential Principles and medical device standards

o Part 4-3 – Conformity Assessment Procedures

o Section 41FD – Matters to be certified

o Section 41FN – Conditions applying automatically

o Section 41FO – Conditions imposed when kinds of medical devices are included in the Register

o Section 41FP – Conditions imposed after kinds of medical devices are included in the Register

- Therapeutic Goods (Medical Devices) Regulations 2002

o Regulation 3.5 – Medical devices manufactured outside Australia

o Schedule 1 – Essential Principles

o Schedule 2 – Classification Rules

o Schedule 3 – Conformity Assessment Procedures

Brazil (ANVISA):

For a domestic manufacturer, confirm that the establishment has ANVISA’s authorization to manufacture
medical devices (AFE - Autorização de Funcionamento da Empresa). For domestic and international
manufacturers, verify that the products already distributed in the Brazilian market are registered/notified with
ANVISA [Brazilian Federal Law nº 6360/76].

14 Companion Document
 Manufacturer means any person who designs, manufactures, assembles or processes finished devices,
including those who only perform sterilization process, labeling and packaging [RDC ANVISA 16/2013: 1.2.9].

According Brazilian Legislation, the Good Manufacturing Practice (GMP) certification is a prerequisite for
medical device registration. Therefore, the facility site inspection precedes the device registration request.
Medical devices subject to notification do not need the GMP certificate, but even not being certified, their
manufacturers shall comply with the GMP requirements.

• Medical devices registration/notification:

Device marketing authorization shall be requested to ANVISA by the domestic manufacturer or importer
(legal representative) formally established in Brazil.

Registration is a comprehensive process for market authorization, applied to medical devices in classes III
and IV, and some class I and II devices, listed on an exception list [ANVISA IN nº 03/2011].

Notification is a simplified market authorization process, applied to medical device classes I and II, not listed
on the exception list [ANVISA IN nº 03/2011].

Both registration and notification are valid for 5 years – renewal of these authorizations shall be requested
upon time defined at Brazilian Law 6360/1976.

• Establishment license:

Domestic manufacturer: shall be authorized by ANVISA, at a minimum, as a manufacturer of medical

devices. This license includes authorization to store and distribute medical devices.

Importer: the importer is considered the legal representative of the international manufacturer in Brazil and
shall be authorized by ANVISA to import, store, and distribute medical devices. In the case of outsourcing
the storage, the importer does not need authorization for this activity.

Canada (HC):

Manufacturer means a person who sells a medical device under their own name, or under a trade-mark,
design, trade name or other name or mark owned or controlled by the person, and who is responsible for
designing, manufacturing, assembling, processing, labeling, packaging, refurbishing or modifying the device, or
for assigning to it a purpose, whether those tasks are performed by that person or on their behalf [CMDR 1].

No person shall import or sell a Class II, III or IV medical device unless the manufacturer of the device holds
a license in respect of that device or, if the medical device has been subjected to a change described in
section 34, an amended medical device license [CMDR 26].

An application for a medical device license shall be submitted to the Minister by the manufacturer of the
medical device in a format established by the Minister [CMDR 32].

An application for a medical device license shall include a copy of a quality management system certificate
certifying that the quality management system under which the medical device is manufactured (class II) or
designed and manufacturer (class III or IV) satisfies National Standard of Canada CAN/CSA-ISO 13485:2003.
[CMDR 32(2)(f); 32(3)(j); 32(4)(p)].

United States (FDA):

21 CFR 807 - Establishment Registration and Device Listing for Manufacturers and Initial Importers of
Devices:

Establishment means a place of business under one management at one general physical location at which
a device is manufactured, assembled, or otherwise processed.

Owner or operator means the corporation, subsidiary, affiliated company, partnership, or proprietor directly
responsible for the activities of the registering establishment.

Owner or operator must register the establishment and submit listing information to Food and Drug
Administration (FDA) for those devices in commercial distribution, regardless of classification—

Companion Document 15
 The registration and listing requirements must pertain to any person who:

(1) Initiates or develops specifications for a device that is to be manufactured by a second party for
commercial distribution by the person initiating specifications;

(2) Manufactures for commercial distribution a device either for itself or for another person; regardless of
whether the manufacturer places the device into commercial distribution or returns the device to the
customer;

(3) Repackages or relabels a device;

(4) Acts as an initial importer;

(5) Manufactures components or accessories which are ready to be used for any intended health-related
purpose and are packaged or labeled for commercial distribution for such purpose;

(6) Acts as a contract sterilizer, whether the contract sterilizer places the devices into commercial
distribution or returns the devices to the customer;

(7) Acts as a complaint file establishment; or

(8) Is a device establishment located in a foreign trade zone

Link: Management
During audit of the Management process, confirm that management is aware of and has made
arrangements for device marketing authorization and facility registration.

2. Confirm the organization has received appropriate marketing clearance or approval in

the regulatory jurisdictions where the organization markets their devices.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.2.1; see the country-specific requirements below]

Country specific requirements:

Australia (TGA):

Marketing authorization (inclusion in the Australian Register of Therapeutic Goods [ARTG]) is granted to the
Australian Sponsor. Non-Australian manufacturers will need to assist the Sponsor through the provision of
information. A Sponsor is not permitted to import a device until market authorization has been granted.

A non-Australian manufacturer’s procedures should ensure that product is not released for export and supply
to Australia unless the Australian Sponsor has been issued with a “Certificate of Inclusion in the Australian
Register of Therapeutic Goods” that identifies each kind of medical device that has been approved for supply
to the Australian market [TG Act s41FJ].

Brazil (ANVISA):

In Brazil there are two kinds of marketing clearance, registration and notification:

Device market clearance shall be requested to ANVISA by the domestic manufacturer or importer
(legal representative) formally established in Brazil.

Registration is a comprehensive process for market authorization, applied to medical devices in

classes III and IV, and some class I and II devices, listed on an exception list [ANVISA IN nº 03/2011].

Notification is a simplified market authorization process, applied to medical devices classes I and II,
not listed on the exception list [ANVISA IN nº 03/2011].

Both registration and notification are valid for 5 years – renewal of these authorizations shall be
requested upon time defined at Brazilian Law 6360/1976.

16 Companion Document
 Canada (HC):

No person shall import or sell a Class II, III or IV medical device unless the manufacturer of the device holds
a license in respect of that device or, if the medical device has been subjected to a change described in
section 34, an amended medical device license [CMDR 26].

United States (FDA):

21 CFR 807.81- When a pre-market notification is required:

Each person who is required to register his establishment pursuant to 807.20 must submit a
premarket notification submission to the Food and Drug Administration at least 90 days before
he proposes to begin the introduction or delivery for introduction into interstate commerce for
commercial distribution of a device intended for human use which meets any of the following criteria:

(1) The device is being introduced into commercial distribution for the first time; that is, the device
is not of the same type as, or is not substantially equivalent to, (i) a device in commercial
distribution before May 28, 1976, or (ii) a device introduced for commercial distribution after May
28, 1976, that has subsequently been reclassified into class I or II.

(2) The device is being introduced into commercial distribution for the first time by a person required
to register

21 CFR 814 – Premarket Approval

A Premarket approval is required for any FDA class III device that was not on the market (introduced
or delivered for introduction into commerce for commercial distribution) before May 28, 1976, and
is not substantially equivalent to a device on the market before May 28, 1976, or to a device first
marketed on, or after that date, which has been classified into class I or class II.

Link: Management, Design and Development

During the audit of the Management and Design and Development processes, ensure that
management is aware of requirements for device marketing authorization and facility registration,
and that these are considered when designing the device. Confirm that management obtains
marketing authorization in the appropriate jurisdictions prior to commercial distribution of the device.

3. Verify the organization has identified changes to marketed devices or the quality
management system which require notification to regulatory authorities.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.2.1; see the country-specific requirements below]

Country specific requirements:

Australia (TGA):

The manufacturer is required to notify their assessment body of:

A proposed substantial change to their QMS

A proposed change to the kinds of medical devices to which the system is to be applied

For Class III or AIMD, a proposed change to design, or intended performance of the device

Refer to:

Therapeutic Goods (Medical Devices) Regulations 2002

Regulation 3.5 – Medical devices manufactured outside Australia

Schedule 3 - The relevant conformity assessment procedure chosen by the manufacturer

Companion Document 17
 Note: An entry in the Australian Register of Therapeutic Goods (inclusion) in the name of the Australian
Sponsor is in effect until cancelled.

Brazil (ANVISA):

Changes involving medical devices already approved by ANVISA, shall be submitted for a new approval
[Brazilian Law nº 6360/76 - Art. 13]. Changes/modifications that shall be submitted are those ones
classified as significant change, which affects: a) features of safety and effectiveness, including measures
to communicate information (ex. residual risk); b) identification of the device or its manufacturer or
manufacturing site; c) indication for use, including its purpose, patient type (adult, pediatric, newborn)
or environment to be used (domestic, hospital, ambulance, etc.); e) device classification; f) technical
specification of the device, including composition and other operational/technical/physical features; g)
manufacturing method.

Examples of modifications that may require a new submission include, but are not limited to, the following:

• Sterilization method;

• Structural material / composition;

• New or additional manufacturer;

• Manufacturing method;

• Manufacturing site;

• Operating parameters or conditions for use;

• Patient or user safety features;

• Sterile barrier packaging material;

• Stability or expiration claims;

• Design;

• Labels and instructions of use (if modification is regarding information);

• Commercial name;

• Indication for use;

• New software version;

• Commercial presentation;

• Inclusion of a new device in a family of medical devices already approved;

• Inclusion of new accessories.

Canada (HC):

If the manufacturer proposes to make one or more changes, the manufacturer shall submit to the Minister,
in a format established by the Minister, an application for a medical device license amendment including the
information and documents set out in section 32 that are relevant to the change [CMDR 34].

Every manufacturer of a licensed medical device shall, annually before November 1 and in a form authorized by
the Minister, furnish the Minister with a statement signed by the manufacturer or by a person authorized to sign on
the manufacturer’s behalf describing any change to the information and documents supplied by the manufacturer
with respect to the device, other than those to be submitted under section 34 or 43.1 [CMDR 43].

If the holder of a medical device license discontinues the sale of the medical device in Canada, the licensee
shall inform the Minister within 30 days after the discontinuance, and the license shall be cancelled at the
time that the Minister is informed [CMDR 43(3)].

18 Companion Document
 Subject to section 34, if a new or modified quality management system certificate is issued in respect of a
licensed medical device, the manufacturer of the device shall submit a copy of the certificate to the Minister
within 30 days after it is issued [CMDR 43.1].

United States (FDA):

21 CFR 807 - Establishment Registration and Device Listing for Manufacturers and Initial Importers of
Devices:

Update the device listing information during each June and December or, at its discretion, at the time
the change occurs. Conditions that require updating and information to be submitted for each of
these updates are as follows:

(1) If an owner or operator introduces into commercial distribution a device identified with a
classification name not currently listed by the owner or operator

(2) If an owner or operator discontinues commercial distribution of all devices in the same device
class

Update registration if changes in individual ownership, corporate or partnership structure, or location of

at the time of annual registration, or by letter if the changes occur at other times. This information must
be submitted within 30 days of such changes. Changes in the names of officers and/or directors of the
corporation(s) must be filed with the establishment’s official correspondent and must be provided to the Food
and Drug Administration upon receipt of a written request for this information.

21 CFR 807.81(a)(3) - When a premarket notification submission is required:

A new complete 510(k) application is required for changes or modifications to an existing device,
where the modifications could significantly affect the safety or effectiveness of the device, or the
device is to be marketed for a new or different indication. All changes in indications for use require
the submission of a 510(k).

Examples of modifications that may require a 510(k) submission include, but are not limited to, the following:

• Sterilization method

• Structural material

• Manufacturing method

• Operating parameters or conditions for use

• Patient or user safety features

• Sterile barrier packaging material

• Stability or expiration claims

• Design

21 CFR 814.39 – PMA Supplements

After FDA’s approval of a PMA, an applicant shall submit a PMA supplement for review and approval
by FDA before making a change affecting the safety or effectiveness of the device for which the
applicant has an approved PMA. While the burden for determining whether a supplement is required
is primarily on the PMA holder, changes for which an applicant shall submit a PMA supplement
include, but are not limited to, the following types of changes if they affect the safety or effectiveness
of the device:

(1) New indications for use of the device

(2) Labeling changes

Companion Document 19
 (3) The use of a different facility or establishment to manufacture, process, or package the device

(4) Changes in sterilization procedures

(5) Changes in packaging

(6) Changes in the performance or design specifications, circuits, components, ingredients, principle
of operation, or physical layout of the device

(7) Extension of the expiration date of the device based on data obtained under a new or revised
stability or sterility testing protocol that has not been approved by FDA

Link: Design and Development

During the audit of the Design and Development process, the audit team should confirm the
organization has considered regulatory requirements for device marketing authorization and facility
registration; and has complied with these requirements prior to marketing the changed device in
the applicable regulatory jurisdictions.

20 Companion Document
 Medical Device Single Audit Program
Chapter 3
Process: Measurement, Analysis and Improvement

One of the most important activities in the quality management system is the identification of existing
and potential causes of product and quality problems. Such causes must be identified so that
appropriate and effective corrective or preventive actions can take place. These activities are carried
out under the Measurement, Analysis and Improvement process.
The purpose of an organization’s Measurement, Analysis and Improvement process is to collect and
analyze information, identify and investigate existing and potential causes of product and quality
problems, and take appropriate and effective corrective or preventive action to prevent recurrence
or occurrence. It is essential that an organization verify or validate these actions, communicate
corrective and preventive action activities to responsible people, provide relevant information for
management review, and document these activities. These activities will help the organization deal
effectively with existing or potential product and quality problems, prevent their recurrence and/or
occurrence, and prevent or minimize device failures or other quality problems.
The management representative is responsible for ensuring that the requirements of the quality
management system have been effectively defined, documented, implemented, and maintained.
Prior to the audit of any process, interview the management representative (or designee) to obtain an
overview of the process and a feel for management’s knowledge and understanding of the process.
The Measurement, Analysis and Improvement process is the second primary process to be audited
per the MDSAP audit sequence. When applicable, information regarding device or identified quality
management system nonconformities observed during the audit of the Measurement, Analysis and
Improvement process should be used to make decisions as to design projects or design changes to
assess during audit of the Design and Development process, suppliers to evaluate during audit of the
Purchasing process, and processes to review during audit of the Production and Service Controls
process.
Auditing the Measurement, Analysis and Improvement Process
Purpose: The purpose of auditing the Measurement, Analysis and Improvement process is to
verify that the manufacturer’s processes ensure that information related to products, processes, or
the quality management system is collected and analyzed to identify actual and potential product,
process, or quality system nonconformities, that problems and potential problems are investigated,
and that appropriate and effective corrective actions and preventive actions are taken.
Outcomes: As a result of the audit of the Measurement, Analysis and Improvement process,
objective evidence will show whether the organization has:
A) Defined, documented, and implemented procedures for measurement, analysis and improvement
that address the requirements of the quality management system standard and participating
MDSAP regulatory authorities
B) Identified, analyzed, and monitored appropriate sources of quality data to identify nonconformities
or potential nonconformities and determined the need for corrective or preventive action

Companion Document 21
C) Ensured investigations are conducted to identify the underlying cause(s) of nonconformities and
potential nonconformities, where possible
D) Implemented appropriate corrective action to eliminate the recurrence or preventive action to
prevent the occurrence of product or quality system nonconformities, commensurate with the
risks associated with the nonconformities or potential nonconformities encountered
E) Reviewed the effectiveness of corrective action and preventive action
F) Utilized information from the analysis of production and post-production quality data to amend the
analysis of product risk, as appropriate

Links to Other Processes: Design and Development; Production and Service Controls;
Purchasing; Medical Device Adverse Events and Advisory Notices Reporting; Management

Audit Tasks and Links to Other Processes:

1. Verify that procedures for measurement, analysis and improvement which address the
requirements of the quality management system standard and regulatory authorities
have been established and documented. Confirm the organization maintains and
implements procedures to monitor and measure product conformity throughout product
realization, as well as procedures that provide for mechanisms for feedback to provide
early warnings of quality problems and the implementation of corrective action and
preventive action.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.2.1, 8.2.4.1, 8.5; TG(MD)R Sch3 P1 1.4(5)(b)(iii), Sch3 P1 Cl 1.4(5)
(f); RDC ANVISA 16/2013: 5.3.1, 7.1, 7.2; 21 CFR 820.100(a)]

Additional country-specific requirements:

United States (FDA):

Verify that procedures are in place for verifying or validating the corrective and preventive action to ensure the
action is effective and does not adversely affect the finished device [21 CFR 820.100(a)(4)].

Verify procedures ensure that information related to quality problems or nonconforming product is disseminated
to those directly responsible for assuring the quality of such product or the prevention of problems [21 CFR
820.100(a)(6)].

Confirm procedures provide for the submission of relevant information on identified quality problems, as well
as corrective and preventive actions, for management review [21 CFR 820.100(a)(7)].

Assessing conformity:

Procedures
Each organization must establish and maintain procedures for analyzing data and implementing
corrective action and preventive action. The procedures must include requirements for:
(a)Analyzing feedback, conformity to product requirements, characteristics and trends of
processes and products (including opportunities for preventive action), and conformity of
suppliers
(b)Reviewing nonconformities, including customer complaints
(c)Evaluating the need for action to prevent recurrence or occurrence of nonconformities

22 Companion Document
 (d)Recording the results of any investigations and of actions taken
(e)Identifying the action(s) needed to correct and prevent recurrence or occurrence of
nonconforming product and other quality problems
(f) Ensure that action is effective and does not adversely affect the finished device
(g)Implementing and recording changes in methods and procedures needed to correct and
prevent identified quality problems
(h)Ensuring that information related to quality problems or nonconforming product is disseminated
to those directly responsible for assuring the quality of such product or the prevention of such
problems
2. Determine if appropriate sources of quality data have been identified for input into the
measurement, analysis and improvement process, including customer complaints,
feedback, service records, returned product, internal and external audit findings,
and data from the monitoring of products, processes, nonconforming products, and
suppliers. Confirm that data from these sources are accurate and analyzed using valid
statistical methods (where appropriate) to identify existing and potential product and
quality management system nonconformities that may require corrective or preventive
action.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.1, 8.4, 8.5; TG(MD)R Sch3 P1 Cl 1.4(3); RDC ANVISA 16/2013:
7.1.1.1, 9.1; 21 CFR 820.100(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the organization has established and maintained procedures for identifying valid statistical
techniques required for verifying the quality system performance and process capability for achieving
established specifications [RDC ANVISA 16/2013: 9.1].

United States (FDA):

Where appropriate, verify the organization has established and maintained procedures for identifying valid
statistical techniques required for establishing, controlling, and verifying the acceptability of process capability
and product characteristics [21 CFR 820.250(a)].

Assessing conformity:

Quality data sources

Complaints, records of acceptance activities and concessions, nonconformities identified in
internal audits, service records, acceptability of supplied product and supplier performance,
and data presented in management review are common quality data sources that are useful in
identifying quality problems, among others.
Some sources of quality data that may be useful in identifying potential problems are acceptance
activities, such as component, in-process, or finished device testing; environmental monitoring,
and statistical process control (SPC). Results of acceptance activities may indicate an
unfavorable trend that left unattended may result in product nonconformity.
During the audit of the Measurement, Analysis and Improvement process, it is recommended that
the auditor(s) review the previous audit report if there is one for the organization. If this information

Companion Document 23
 is available, the audit team should use the information in the report when selecting some quality
data sources to review during the audit. For example, if service records were reviewed during
the previous audit and the organization was handling the data appropriately, the audit team may
wish to select a different data source for review during the audit. However, if the previous audit
documented that the data from service records were not being entered into the Measurement,
Analysis and Improvement process appropriately, the audit team should consider reviewing
service records again to determine whether the previous deficiency was effectively addressed.
Select some sources of quality data. Determine if the data from these sources were entered into
the organization’s Measurement, Analysis and Improvement process for analysis and whether
the information was complete, accurate, and entered in a timely fashion. Be mindful of quality
problems that appear in more than one data source. For example, device nonconformities noted
in complaints should be compared with similar nonconformities noted during the organization’s
analysis of data from other data sources such as product reject reports, or nonconforming
product or process reports. This comparison will help the organization and the audit team
understand the full extent of the quality problem.
Analysis of data
An organization should use data from a variety of quality data sources to identify the causes of
existing product and quality problems. Not all organizations will have the same sources of quality
data. For example, service records and installation reports are quality data sources that may not
be found at every device manufacturer. As the audit team is conducting the audit, determine what
sources of quality data the organization has identified. The audit team will also determine whether
the sources identified by the organization are appropriate and if the organization is analyzing
quality data from these sources to identify existing product problems as well as existing problems
within its quality system. Later in the evaluation of the Measurement, Analysis and Improvement
process, the audit team will be sampling raw quality data to determine how the organization
analyzed the quality data and responded to the results of its analysis.
An organization should also use data from a variety of quality data sources to identify the causes of
potential product and quality problems. The organization should be looking for trends or other indications
of potential problems before the problems actually occur. The organization may choose to perform
analysis of competing devices, including reviewing advisory notices related to competing devices, to
determine whether similar nonconformities could occur in the organization’s devices. Determine whether
the organization can identify potential product and quality problems that may require preventive action.
An organization has the flexibility to use whatever methods of analysis are appropriate to identify existing
and potential causes of nonconforming product or other quality problems. However, an organization
must use appropriate statistical methodology where necessary to detect recurring quality problems.
An organization must also use appropriate statistical tools when it is necessary to use statistical
methodology. It should not misuse statistics in an effort to minimize the problem or avoid addressing the
problem.
Link: Purchasing
During the audit of the Measurement, Analysis and Improvement process, the audit team may
encounter data involving product nonconformities, including complaints involving finished devices,
where the underlying cause of the quality problem has been traced to a supplied product. During
the audit of the Purchasing process, the audit team should consider selecting suppliers to audit
that have corrective action indicators of nonconformities with supplied components or processes.

24 Companion Document
3. Determine if investigations are conducted to identify the underlying cause(s) of detected
nonconformities, where possible. Confirm investigations are commensurate with the risk of the
nonconformity.
Clause and regulation: [ISO 13485:2003: 8.5.2; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 6.5.1, 7.1.1.2; 21
CFR 820.100 (a)(2)]

Additional country-specific requirements: None

Assessing conformity:

Investigations of nonconformities
The depth of the organization’s investigation of a process, product, or other quality system
nonconformity should be commensurate with the significance and risk of the nonconformity. The
process for determining the extent of an investigation may be linked to the organization’s risk
management system and the design outputs essential to the proper functioning of the device.
A correction is not the same as a corrective action. In order for an organization to take a corrective
action (i.e., action taken to prevent recurrence of an existing nonconformity), an investigation
must be conducted to determine the cause of the nonconformity. Often an organization will only
make a correction to handle the immediate problem (e.g. relabeling a lot of mislabeled finished
devices). Determining the cause of the lot of mislabeled finished devices is more difficult and may
be overlooked. Where possible, the organization should identify the underlying cause or causes of
the nonconformity so that appropriate corrective action can be taken.
Selecting records
When selecting records of investigations to review, be mindful of the risk of the nonconformity to
the product or process. Select records of investigations where the nonconformity has a higher
risk of adversely affecting the ability of the finished device to meet its essential design outputs or
the nonconformity affects the safety and efficacy of the product.
4. Determine if investigations are conducted to identify the underlying cause(s) of potential
nonconformities, where possible. Confirm investigations are commensurate with the risk of the
potential nonconformity.
Clause and regulation: [ISO 13485:2003: 8.5.3; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 7.1.1.1; 21 CFR
820.100(a)(2)]

Additional country-specific requirements: None

Assessing conformity:

Investigations of potential nonconformities

The depth of the organization’s investigation into potential process, product, or other quality
system nonconformities should be commensurate with the risk of the nonconformity if it were
to occur. The process for determining the extent of an investigation may be linked to the
organization’s risk management system and outputs essential to the proper functioning of the
device.
Selecting records
When selecting records of investigations to review, be mindful of the risk of the potential
nonconformity to the product or process. Select records of investigations where the potential

Companion Document 25
 nonconformity has a higher risk of adversely affecting the ability of the finished device to meet its
essential design outputs or the potential nonconformity could affect the safety and efficacy of the
product.
5. Confirm that corrections, corrective actions, and preventive actions were determined,
implemented, documented, effective, and did not adversely affect finished devices.
Ensure corrective action and preventive action is appropriate to the risk of the non-
conformities or potential nonconformities encountered.
Clause and regulation: [ISO 13485:2003: 8.2.2, 8.2.3, 8.3, 8.5.2, 8.5.3; TG(MD)R Sch1 P1 2; Sch3 P1 1.4(5)(b)(iii),
Sch3 P1 1.4(5)(f); RDC ANVISA 16/2013: 2.4, 6.5, 7.1.1.3, 7.1.1.4, 7.1.1.5; 21 CFR 820.100(a)(3), 820.100 (a)(4),
820.100(a)(6), 820.100(b)]

Additional country-specific requirements: None

Assessing conformity:

Determining the extent of actions

Corrective actions taken by an organization can vary depending on the situation. Corrective
actions are intended to correct and also prevent recurrence of not only nonconforming product
but also poor practices, such as inadequate training.
In developing corrective action addressing nonconforming product, the organization should consider
corrections to be taken regarding the effected products, whether distributed or not. Corrections and
corrective actions must be commensurate with the risk associated with the nonconformity.
The audit team may encounter situations where a quality problem has been identified, but the
organization’s management has decided not to undertake corrective actions. Confirm that the
organization’s decision not to take corrective action has been made using appropriate risk-based
decision making, including a determination that the finished device meets risk acceptability criteria.
Determining the effectiveness of actions
During the audit of the Measurement, Analysis and Improvement process, review the mechanisms
by which the organization assessed effectiveness of the corrective and preventive actions.
Compare the records of significant and/or higher risk corrective actions and preventive actions to
the organization’s product and quality data analyses, such as trend results. Look for product or
quality problems or trends that continued or began after the actions were implemented. This may
indicate that the corrective actions or preventive actions were not effective.
Review how the organization has determined that the actions do not adversely affect the finished
device(s).

Link: Medical Device Adverse Events and Advisory Notices Reporting

Determine whether any of the organization’s corrective actions require reporting to participating
MDSAP authorities.

6. When a corrective or preventive action results in a design change, verify that any new hazard(s) and any
new risks are evaluated under the risk management process.
Clause and regulation: [ISO 13485:2003: 7.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 4.1.10; 21 CFR
820.30(i), 820.30(g)]

26 Companion Document
 Additional country-specific requirements: None

Assessing conformity:

Design change
Completing this audit task may involve linkages to other subsystems. Verification and validation
are important elements in assuring that corrective actions and preventive actions that result in
design changes are effective and do not introduce new hazards.

Link: Design and Development

If the corrective action or preventive action involves changing the design, design controls should
be applied to the change where applicable. When necessary, confirm that design controls were
applied to the change according to the organization’s procedures. In addition, design changes
should be evaluated under the organization’s risk management process to ensure that changes
do not introduce new hazards.

7. When a corrective or preventive action results in a process change, confirm that the process change is
assessed to determine if any new risks to the product are introduced. Verify the manufacturer has
performed revalidation of processes where appropriate.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.5.2; TG(MD)R Sch1 P1 2; Sch3 P1 1.5(4); RDC ANVISA
16/2013: 2.4, 5.6, 7.1.1.4; 21 CFR 820.100(a)(4), 820.100(a)(5), 820.70(b), 820.75(c)]

Additional country-specific requirements:

Australia (TGA):

Confirm that when a manufacturer plans to make a substantial change to a critical process (e.g. sterilization,
processing materials of animal origin, processing materials of microbial or recombinant origin, or processes
that incorporate a medicinal substance in a medical device), the manufacturer notifies the auditing
organization who will determine if an assessment of the change is required before implementation [TG(MD)R
Sch3 P1 1.5(2)].

Canada (HC):

Verify that the manufacturer has a process or procedure for identifying a “significant change” to a class III
or IV device. Verify that information about “significant changes” is submitted in a medical device license
amendment application [CMDR 1, 34].

Assessing conformity:

Process changes
Completing this audit task may involve linkages to other quality management system processes.
Production processes require at least some degree of qualification, verification, or validation. If the
change involves a validated process, review the organization’s evaluation of the process change
to determine if revalidation is needed.

Links: Production and Service Controls, Purchasing

If the corrective action or preventive action involves changing a production process, the audit
team should consider selecting this change for evaluation during audit of Production and Service
Controls.

Companion Document 27
 For changes to production processes that are performed by suppliers, the audit team should
consider selecting those suppliers for evaluation during audit of the Purchasing process. In cases
where the organization makes a change to a validated process performed by a supplier, the audit
team should evaluate whether re-validation is required. If re-validation of production processes is
required, confirm the results show the process meets the planned result.
8. Verify that controls are in place to ensure that product which does not conform to
product requirements is identified and controlled to prevent its unintended use or
delivery. Confirm that an appropriate disposition was made, justified, and documented.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.3; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 6.5; 21
CFR 820.90(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that the evaluation of non-conforming product includes a determination of the need for an
investigation and notification of the persons or organizations responsible for the nonconformity. The
evaluation and any investigation must be documented [RDC ANVISA 16/2013: 6.5.1].

United States (FDA):

Confirm that the evaluation of non-conforming product includes a determination of the need for an
investigation and notification of the persons or organizations responsible for the nonconformity. The
evaluation and any investigation must be documented [21 CFR 820.90(a)].

Assessing conformity:

Nonconforming product
The audit team should review procedures and controls for preventing the unintended distribution
of nonconforming product. The auditor(s) may choose to select a sample of records involving
nonconforming product that was in stock or returned to review how the procedures and controls
were applied to control the nonconforming product.
Confirm the organization has established and maintained procedures that define the responsibility
for review and the authority for the disposition of nonconforming product, as well as the execution of
the review and disposition process. Disposition of nonconforming product must be documented.
The audit team may encounter situations where the organization’s management has decided to
authorize the use of nonconforming product under concession. Documentation must include the
justification for use of nonconforming product and the signature of the individual(s) authorizing the
use. Confirm that the organization’s decision to use nonconforming product under concession
has been made using appropriate risk-based decision making, including a determination that
the finished device meets specified requirements. Be mindful of instances where the use of
nonconforming product under concession has led to devices not meeting specifications.
Selecting records
When selecting records of nonconforming products to review, be mindful of the risk of the
nonconformity to the finished device and the patient or user. Select records of nonconforming
products to review where the nonconformity has a higher risk of adversely affecting the ability of
the finished device to meet its essential design outputs or the nonconformity affects the safety
and efficacy of the product.

28 Companion Document
9. Confirm that when nonconforming product is detected after delivery or use, appropriate
action is taken commensurate with the risk, or potential risks, of the nonconformity.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.3, 8.5.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 7.1.1.8;
21 CFR 820.100(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has procedures to determine the product recall and other field actions that are
relevant in the case of products already distributed [RDC ANVISA 16/2013: 7.1.1.8].

Assessing conformity:

Control and action based on risk

During this audit task, confirm that the organization has determined the control and actions to
be taken on nonconforming products detected after delivery or use, commensurate with the risk
associated with a product failure.
While it may not be necessary for the organization to recall nonconforming product from
distribution as part of its identified actions needed to correct and prevent recurrence of the
problem, confirm that the decision is made using an adequate risk justification.

Link: Medical Device Adverse Events and Advisory Notices Reporting

If the organization has taken field action on products already distributed, confirm that the
appropriate MDSAP regulatory authorities have been notified, as necessary.

10.Verify that internal audits of the quality management system are being conducted
according to planned arrangements and documented procedures to ensure the quality
management system is in compliance with the established quality management
system requirements and applicable regulatory requirements, and to determine the
effectiveness of the quality system. Confirm that the internal audits include provisions
for auditor independence over the areas being audited, corrections, corrective actions,
follow-up activities, and the verification of corrective actions.
Clause and Regulation: [ISO 13485:2003: 4.2.1, 8.2.2; RDC ANVISA 16/2013: 7.3; 21 CFR 820.22, 820.100]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that quality audits are conducted by trained people in accordance with established audit procedures
[RDC ANVISA 16/2013: 7.3.2].

United States (FDA):

Verify that resources include the assignment of trained personnel to meet the requirements of 21 CFR Part
820, including management, performance of work, assessment activities, and internal quality audits [21 CFR
820.20(b)(2)].

Assessing conformity:

Internal audits
Internal audits are systematic, independent examinations of an organization’s quality management

Companion Document 29
 system that are performed at defined intervals and at sufficient frequency to determine whether
both quality management system activities and the results of such activities comply with quality
management system procedures. Internal audits should also determine whether these procedures
are implemented effectively and whether they are suitable to achieve quality management system
objectives.
Auditors
Internal audits are to be conducted according to established procedures by appropriately trained
individuals not having direct responsibility for the matters being audited. If possible, interview
auditors and ask how audits are conducted, how long audits typically last, what documents are
typically reviewed, etc.
Requirements
Internal audit procedures typically include requirements for auditor qualifications, requirements
for the frequency of audits, specified functional areas to be audited, and audit plans (or
the requirement to establish audit plans prior to the audit). Procedures should also include
requirements for how audit activities and results are to be communicated, addressed, and
followed up (including re-audit, if necessary) and for how audit activities are to be documented.
Review and documentation
Management having responsibility for the matters audited must review the report of the quality
audit. The dates and results of all quality audits (and subsequent re-audits, if necessary) must be
documented, as well as any corrective or preventive actions resulting from the internal audits.

Link: Management
During the audit of the Management process, the audit team should confirm that the output of
internal audits is an input to management review.

11.Determine if relevant information regarding nonconforming product, quality

management system nonconformities, corrections, corrective actions, and preventive
actions has been supplied to management for management review.
Clause and regulation: [ISO 13485:2003: 4.2.1, 5.6.2; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 2.2.6,
7.1.1.7; 21 CFR 820.100 (a)(7)]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that relevant information about quality problems is identified and corrective and preventive actions
are submitted to executive management for information and monitoring, as well as the competent health
authority, if applicable [RDC ANVISA 16/2013: 7.1.1.7].

Assessing conformity:

Management review
During the performance of this audit task, the auditor(s) may choose to select a recent, significant
corrective or preventive action and determine which records or information regarding the event
was submitted for management review.

30 Companion Document
 Link: Management
During the audit of the Management process, the audit team should have confirmed that the
status of corrective and preventive actions is an input to the management review. During the
audit of the Measurement, Analysis and Improvement process, determine that top management
is aware of higher-risk quality problems, as well as significant corrective and preventive actions,
when necessary.

12.Confirm that the manufacturer has made effective arrangements for gaining experience
from the post-production phase, handling complaints, and investigating the cause
of nonconformities related to advisory notices with provision for feedback into the
Measurement, Analysis and Improvement process. Verify that information from the analysis
of production and post-production quality data was considered for amending the analysis of product risk,
as appropriate.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.2.3, 8.2.1; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(3), 1.4(5)(b)(iii) &
1.4(5)(f); RDC ANVISA 16/2013: 7.2; CMDR 57-58; 21 CFR 820.198]

Additional country-specific requirements:

Australia (TGA):

Verify that the organization has procedures for a post-marketing system that includes a systematic review
of post-production experience (e.g. from; expert user groups, customer surveys, customer complaints
and warranty claims, service and repair information, literature reviews, post-production clinical trials, user
feedback other than complaints, device tracking and registration schemes, user reactions during training,
adverse event reports). Investigation should take place in a timely manner to ensure that reporting timeframes
for adverse events or advisory notices may be met [TG(MD)R Sch3 P1 1.4(3)(a)].

Note: Investigation should take place in a timely manner to ensure that reporting time-frames for adverse
events or advisory notices can be met by the Australian Sponsor. The manufacturer should be aware that
recalls are to be conducted in Australia by the Australian Sponsor in accordance with the Australian Uniform
Recall Procedure for Therapeutic Goods.

Brazil (ANVISA):

Verify that each manufacturer has established and maintains procedures to receive, examine, evaluate,
investigate and document complaints. Such procedures must ensure that:

(1) Complaints are received, documented, analyzed, evaluated, investigated and documented by a
formally designated unit;

(2) Where applicable, complaints must be reported to the competent health authority;

(3) Complaints must be examined to determine whether an investigation is necessary. When an

investigation is not done, the unit must maintain a record that includes the reason that the
investigation was not performed and the name of the responsible for that decision;

(4) Each manufacturer must examine, evaluate and investigate all complaints involving possible
nonconformities of the product. Any claim for death, injury or threat to public health must be
immediately reviewed, evaluated and investigated.

(5) The records of the investigation must include:

Product name;

Date of receipt of the complaint;

Any control number used;

Companion Document 31
 Name, address and telephone number of the complainant;

Nature of complaint;

Data and research results including actions taken [RDC ANVISA 16/2013: 7.2].

Canada (HC):

Verify that the manufacturer maintains records of reported problems related to the performance
characteristics or safety of a device, including any consumer complaints received by the manufacturer after
the device was first sold in Canada, and all actions taken by the manufacturer in response to the problems
referred to in the complaints [CMDR Section 57].

Verify that the manufacturer has established and implemented documented procedures that will enable it to
carry out an effective and timely investigation of the problems reports through the customer complaints, and
to carry out an effective and timely recall of the device [CMDR Section 58].

United States (FDA):

Verify procedures have been defined, documented, and implemented for receiving, reviewing, and evaluating
complaints by a formally designated unit. Procedures must ensure that:

(1) All complaints are processed in a uniform and timely manner

(2) Oral complaints are documented upon receipt

(3) Complaints are evaluated to determine whether the complaint represents an event which is required
to be reported to FDA

Each manufacturer must review and evaluate all complaints to determine whether an investigation is
necessary. When no investigation is made, the manufacturer must maintain a record that includes the reason
no investigation was made and the name of the individual responsible for the decision not to investigate.

Any complaint of the failure of the device, labeling, or packaging to meet any of its specifications must
be reviewed, evaluated, and investigated, unless such investigation has already been made for a similar
complaint and another investigation is not necessary.

Any complaint that represents an event which must be reported to FDA must be promptly reviewed,
evaluated, and investigated by a designated individual(s) and must be maintained in a separate portion of the
complaint files or otherwise clearly identified. Records of investigation must include a determination of:

(1) Whether the device failed to meet specifications

(2) Whether the device was being used for treatment or diagnosis

(3) The relationship, if any, of the device to the reported incident or adverse event

When an investigation is made, a record of the investigation must be maintained by the formally designated
unit. The record of investigation must include:

(1) The name of the device

(2) The date the complaint was received

(3) Any device identification(s) and control number(s) used

(4) The name, address, and telephone number of the complainant

(5) The nature and details of the complaint

(6) The dates and results of investigation

(7) Any corrective action taken

32 Companion Document
 When the manufacturer’s formally designated unit is located at a site separate from the manufacturing
establishment, the investigated complaint(s) and the record(s) of investigation must be reasonably accessible
to the manufacturing establishment [21 CFR 820.198].

Assessing conformity:

Evaluation of post-production data

During the review of quality data sources that serve as inputs to the Measurement, Analysis and
Improvement process, the audit team may choose to review complaints and customer feedback.
Confirm that complaints are handled as required by the MDSAP participating regulatory
authorities. Complaints can be an important source of information regarding quality problems and
are often indicative that distributed devices (or their packaging or labeling) did not meet specified
requirements.
Selecting records
One method to analyze complaints and customer feedback is to review the analysis of complaint
data and select one or more complaint failure modes, preferably failure modes associated
with higher risk to the patient or user. Once the audit team has selected complaint failure
modes, the auditor(s) can select a sample of complaints from those failure modes and confirm
the complaints are handled appropriately, including investigation and implementation of corrective
action when necessary.
Risk management
Information from post-production sources, including complaints and customer feedback, can
provide important information for the risk management activities for the device. In particular,
previously unidentified risks discovered during the post-production monitoring may indicate a
need for improving the risk management process or may indicate a need for design changes.
Additionally, on the basis of post-production quality data, the organization may choose to enact
new or more stringent controls to maintain an acceptable level of product risk.

Link: Medical Device Adverse Events and Advisory Notices Reporting

During the review of complaints and feedback, confirm that individual medical device reports were
made to the appropriate regulatory authorities when necessary.

13.Where investigation determines that activities outside the organization contributed to a

customer complaint, verify that records show that relevant information was exchanged
between the organizations involved.
Clause and regulation: [ISO 13485:2003; 4.1, 4.2.1, 7.2.3, 8.5.1; RDC ANVISA 16/2013: 7.1.1.6; 21 CFR 820.100(a)(6)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has ensured that information about quality problems or nonconforming products
are properly disseminated to those directly involved in the maintenance of product quality and to prevent
occurrence of such problems [RDC ANVISA 16/2013: 7.1.1.6].

Companion Document 33
 United States (FDA):

Verify that information related to quality problems or nonconforming product is disseminated to those directly
responsible for assuring the quality of such product or the prevention of such problems [21 CFR 820.100(a)(6)].

Assessing conformity:

Complaints and nonconformities attributed to supplied product

Confirm that information related to quality problems or nonconforming product, including
complaints, is disseminated to those directly responsible for assuring the quality of product.
This includes instances where investigation reveals the underlying cause of the complaint or
nonconforming product to be related to supplied product. The organization should notify the
supplier of the quality problem and appropriate corrective action must be taken when necessary.
Failure of an outside organization to provide products that meet specified requirements may
disqualify them as an acceptable or approved supplier.

Link: Purchasing
During the audit of the Measurement, Analysis and Improvement process, if significant
nonconformities are related to supplied product, the audit team should consider selecting those
suppliers for evaluation during the audit of the organization’s Purchasing process.

14.Verify that the organization has defined and documented procedures for the notification
of adverse events. Confirm adverse event reporting is performed according to the
applicable regulatory requirements.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.5.1; TG(MD)R Sch3 P1 1.4(3)(c); RDC ANVISA 16/2013: 7.1.1.8,
RDC ANVISA 67/2009; CMDR 59-61.1; 21 CFR 803]

Additional country-specific requirements: Refer to MDSAP process Medical Device Adverse Events and Advisory
Notices Reporting

Assessing conformity:

Individual adverse event reports

An output of the activities associated with the Measurement, Analysis and Improvement process,
such as complaint handling, may be the reporting of individual adverse events to regulatory
authorities in which the device is marketed. When applicable, select complaint records that meet
criteria for reporting and confirm the appropriate reports and information was provided to the
regulatory authority. Ensure the individual adverse event reports contain accurate information by
comparing the submitted reports to the associated complaint and complaint investigation.
Reportable events are often an important Measurement, Analysis and Improvement process
quality data source since these events are indicative that the finished device has caused death,
serious injury, or has malfunctioned in a manner such that if the malfunction were to recur, the
result could be death or serious injury. Any death, even if the organization attributes it to user
error, is considered to have potentially high risk associated with it. Confirm that reportable events
were evaluated for corrective action when necessary.

34 Companion Document
15.Confirm that the manufacturer has made effective arrangements for the timely issuance
and implementation of advisory notices. Confirm that reporting of advisory notices is
performed according to the applicable regulatory requirements.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.5.1; TG(MD)R Sch3 P1 1.4(3)(c); RDC ANVISA 16/2013: 7.1.1.8,
RDC ANVISA 23/2012; CMDR 63-65.1; 21 CFR 806]

Additional country-specific requirements: Refer to MDSAP process Medical Device Adverse Events and Advisory
Notices Reporting

Assessing conformity:

Advisory notices
An output of the activities associated with the Measurement, Analysis and Improvement process,
including complaint handling and the discovery of nonconforming product that has been
distributed, may be the reporting of advisory notices to regulatory authorities in which the device
is marketed. When applicable, select advisory notices that meet criteria for reporting and confirm
that the appropriate reports and information were provided to the regulatory authority.
The quality problems that led to an advisory notice is often an important quality data source for
the corrective actions process since these events are indicative that the finished device does not
meet specified requirements and has the potential for unreasonable risk to the user. Confirm
that quality problems that resulted in advisory notices were evaluated for corrective action. If
corrective action was taken, evaluate the mechanism by which the organization assured the
action is effective and does not adversely affect the ability of the device to meet specified
requirements. If corrective action was not taken for quality problems associated with a correction,
removal, or advisory notice, review the organization’s rationale for not undertaking corrective
action and confirm that the decision is appropriate using a risk-based decision making process.
Decisions to not report a correction, removal, or advisory notice
The audit team may encounter instances where the organization has performed activities involving
issuance of advisory notices without notifying regulatory authorities in the markets in which the
device is marketed. In these situations, review the organization’s rationale for not reporting
these actions and ensure that the rationale is appropriate. Verify that records of the action are
maintained.
16.Determine, based on the assessment of the Measurement, Analysis and Improvement
process overall, whether management provides the necessary commitment to detect
and address product and quality management system nonconformities, and ensure the
continued suitability and effectiveness of the quality management system.
Clause and regulation: [ISO 13485:2003: 4.1; RDC ANVISA 16/2013: 2.2.1]

Companion Document 35
 Medical Device Single Audit Program
Chapter 4
Process: Medical Device Adverse Events and Advisory Notices Reporting

The Medical Device Adverse Events and Advisory Notices Reporting process may be audited as a
linkage from the Measurement, Analysis and Improvement process.
Purpose: The purpose of auditing the Medical Device Adverse Events and Advisory Notices
Reporting is to verify that the organization’s processes ensure that individual device-related adverse
events and advisory notices involving medical devices are reported to regulatory authorities within
required timeframes.
Outcomes: As a result of the audit of the Medical Device Adverse Events and Advisory Notices
Reporting process, objective evidence will show whether the organization has:
A) Defined processes to ensure individual device-related adverse events are reported to regulatory
authorities as required
B) Ensured that advisory notices are reported to regulatory authorities and authorized representatives
when necessary
C) Maintained appropriate records of individual device-related adverse events and advisory notices

Links to Other Processes: Measurement, Analysis and Improvement

Audit Tasks and Links to Other Processes:

1. Verify that the organization has a process in place for identifying device-related events
that may meet reporting criteria as defined by participating regulatory authorities. Verify
that the complaint process has a mechanism for reviewing each complaint to determine
if a report to a regulatory authority is required. Confirm that the organization’s processes
meet the timeframes required by each regulatory authority where the product is marketed.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.5.1; see the country-specific requirements below]

Country-specific requirements:

Australia (TGA):

Manufacturers are required to implement a post-marketing system that includes provisions for adverse event
reporting – e.g. Therapeutic Goods (Medical Devices) Regulations 2002 Schedule 3 Part 1 Clause 1.4(3)(c)(i).
In view of the written agreement between Manufacturers and the Australian Sponsor [TG Act 41FD], events
must be reported by the manufacturer to the TGA, or to the Sponsor in a timely manner to ensure that a
Sponsor can meet their reporting obligations under the Therapeutic Goods (Medical Devices) Regulation 5.7:

• Verify that the manufacturer or other person becoming aware of an event that represents a serious
threat to public health provides information as soon as practicable. The Sponsor is to report the
event within 48 hours.

• Verify that the manufacturer or other person becoming aware of an event that led to the death or
serious deterioration in the state of health of a patient, a user, or other person provides information as
soon as practicable. The Sponsor is to report the event within 10 days.

36 Companion Document
 • Verify that the manufacturer or other person becoming aware of an event that the recurrence of which
might lead to the death or serious deterioration in the state of health of a patient, a user, or other
person provides information as soon as practicable. The Sponsor is to report the event within 30
days.

Note: An event that leads to a serious threat to human health is a hazard arising from a systematic failure of
the devices or an event or other occurrence that may lead to death or serious injury.

Note: It is a condition on Australian Sponsors of Class AIMD, Class III and Implantable Class IIb devices
that they provide three consecutive annual reports to the TGA following inclusion of the device in the ARTG.
Annual reports are due 1 October each year. Reports should be for the period 1 July to 30 June. The report
is to include:

• ARTG no.

• Product name

• Model no(s)

• Number supplied in Australia

• Number supplied worldwide (Numbers should include devices that are the same but supplied under a
different name in another jurisdiction)

• Number of complaints in Australia

• Number of complaints worldwide

• Number of adverse events and incident rates in Australia (Rate= No. of events/ No. Supplied x 100 =
Rate%)

• Number of adverse events and incident rates world wide

• A list of the more common complaints and all of the adverse events

• Device Incident Report (DIR) number of those adverse events reported to the TGA

• Regulatory/corrective action/notification by manufacturer

Note: Australian Sponsors are required to provide manufacturers with any information that will assist the
manufacturer to comply with the obligations of a conformity assessment procedure (e.g. information in
relation to adverse events) [TG(MD)R Reg 5.8].

Brazil (ANVISA):

Verify that a post-market surveillance system is established and implemented in the organization and
integrated into the Quality System, with procedures and work flows established to ensure the correct and the
prompt identification of adverse events, the performance of investigations and use of the results to improve
the safety and effectiveness of the device when necessary [RDC ANVISA 67/2009 – Art. 6º].

For domestic manufacturers (also applies to legal representatives in Brazil) - verify that top management has
designated a professional to be responsible for the post-market surveillance system. This designation shall
be documented [RDC ANVISA 67/2009 – Art. 5º].

Verify that the organization has mechanisms for processing and recording complaints, conducting
investigations, and providing feedback directly to the complainant, or in the case of an international
manufacturer, to their legal representative in Brazil, as necessary [RDC ANVISA 67/2009 – Art. 6º, Art. 7º,
Art. 9º].

Verify that the organization has notified the regulatory authority about problems associated with their devices,
including adverse events (critical or non-critical), any technical defect that was identified regarding products
already marketed, anything that can cause a serious hazard to public health, or cases of counterfeit [RDC
ANVISA 67/2009 – Art. 8º].

Companion Document 37
 For international manufacturer, verify that the legal representative in Brazil is aware about the occurrence of possibility
of death, serious hazard to public health or cases of counterfeit, associated with their products exported to Brazil
[RDC ANVISA 67/2009 – Art. 8º].

Canada (HC):

Medical Device Regulations SOR/98-282, Section 59-61.1:

Verify that the manufacturer and the importer of a medical device make a preliminary and final report
to the minister concerning any incident occurring inside or outside Canada involving a device sold in
Canada.

a. Related to the failure of the device or deterioration in its effectiveness or any inadequacy in its
labeling or in its directions for use.

b. Has led to death or serious deterioration in the state of health of a patient, user, or other person,
or could do so if it were to occur [CMDR 59].

Verify that the manufacturer or other person becoming aware of an event that led to the death or
serious deterioration in the state of health of a patient, a user, or other person provides information
in a preliminary report within 10 days after the person becomes aware of the event or occurrence
[CMDR 60 (1) (a) (i)].

Verify that the manufacturer or other person becoming aware of an event that the recurrence of which
might lead to the death or serious deterioration in the state of health of a patient, a user, or other
person provides information in a preliminary report within 30 days after the person becomes aware of
the event or occurrence [CMDR 60 (1) (a) (ii)].

Verify that manufacturer has made effective arrangements to submit preliminary reports to the
Minister and that the reports contain [CMDR 60 (2)]:

(a) the identifier of any medical device that is part of a system, test kit, medical device group,
medical device family or medical device group family;

(b) if the report is made by

(i) the manufacturer: the name and address of that manufacturer and of any known importer, and
the name, title and telephone and facsimile numbers of a representative of the manufacturer
to contact for any information concerning the incident, or

(ii) the importer of the device: the name and address of the importer and of the manufacturer,
and the name, title and telephone and facsimile numbers of a representative of the importer to
contact for any information concerning the incident;

(c) the date on which the incident came to the attention of the manufacturer or importer;

(d) the details known in respect of the incident, including the date on which the incident occurred
and the consequences for the patient, user or other person;

(e) the name, address and telephone number, if known, of the person who reported the incident to
the manufacturer or importer;

(f) the identity of any other medical devices or accessories involved in the incident, if known;

(g) the manufacturer’s or importer’s preliminary comments with respect to the incident;

(h) the course of action, including an investigation, that the manufacturer or importer proposes to
follow in respect of the incident and a timetable for carrying out any proposed action and for
submitting a final report; and

(i) a statement indicating whether a previous report has been made to the Minister with respect to
the device and, if so, the date of the report.

38 Companion Document
 If a preliminary report required by section 60 is submitted to the Minister and/or Importer, verify
that the manufacturer has submitted a final report to the Minister in writing in accordance with the
timetable established under CMDR 60(2)(h) and the final report contains [CMDR 61(1)]:

(a) a description of the incident, including the number of persons who have experienced a serious
deterioration in the state of their health or who have died;

(b) a detailed explanation of the cause of the incident and a justification for the actions taken in
respect of the incident; and

(c) any actions taken as a result of the investigation, which may include:

(i) increased post-market surveillance of the device,

(ii) corrective and preventive action respecting the design and manufacture of the device, and

(iii) recall of the device.

If the reports required by section 60 and 61 are submitted to the Minister just by the Importer, verify
that the manufacturer has advised the Minister in writing that the reports the manufacturer and
importer would have submitted were identical and that the manufacturer has permitted the importer
to prepare and submit reports to the Minister on the manufacturer’s behalf [CMDR 61.1].

United States (FDA):

21 CFR 803: Medical Device Reporting

Determine whether the manufacturer has developed a process for reporting to FDA incidents
involving device-related deaths, serious injuries, and reportable malfunctions that occur within and
outside the United States if the same or similar device is marketed to the United States.

Confirm that the manufacturer has developed, maintained, and implemented written medical device
reporting (MDR) procedures for the following:

(a) Internal processes that provide for:

(1) Timely and effective identification, communication, and evaluation of events that may be
subject to MDR requirements;

(2) A standardized review process or procedure for determining when an event meets the criteria
for reporting; and

(3) Timely transmission of complete medical device reports to FDA

(b) Documentation and recordkeeping requirements for:

(1) Information that was evaluated to determine if an event was reportable;

(2) All medical device reports and information submitted to FDA

(3) Processes that ensure access to information that facilitates timely follow-up and audit.

Verify that any reports are made within 30 calendar days after the day that the manufacturer receives
or otherwise becomes aware of information, from any source, that reasonably suggests that a device
that is marketed:

(1) May have caused or contributed to a death or serious injury; or

(2) Has malfunctioned and this device or a similar device that is marketed would be likely to cause or
contribute to a death or serious injury, if the malfunction were to recur.

Companion Document 39
 Confirm the manufacturer’s MDR files contain the following:

(1) Information (or references to information) related to the adverse event, including all
documentation of deliberations and decision-making processes used to determine if a device-
related death, serious injury, or malfunction was or was not reportable to FDA.

(2) Copies of all MDR forms (form 3500A) and other information related to the event submitted to
FDA.

(3) If the manufacturer maintains MDR event files as part of the complaint file, ensure that the
manufacturer has prominently identified these records as MDR reportable events. FDA will not
consider a submitted MDR report to comply with 21 CFR 803 unless the manufacturer evaluates
an event in accordance with the quality management system requirements. Confirm that the
manufacturer has documented and maintained in the MDR event files an explanation of why the
manufacturer did not submit or could not obtain any information required by 21 CFR 803, as well
as the results of the evaluation of each event.

Compare the information submitted on the individual medical device report to the information
contained in the associated complaint and confirm the medical device report contains all information
related to the event that is reasonably known to the manufacturer.

Verify the manufacturer has submitted reports to FDA, on form 3500A or an electronic equivalent
approved under 803.14, no later than 5 work days after the day that the manufacturer becomes
aware that:

(a) An MDR reportable event necessitates remedial action to prevent an unreasonable risk of
substantial harm to the public health. The manufacturer may become aware of the need for
remedial action from any information, including any trend analysis; or

(b) FDA has made a written request for the submission of a 5-day report. If the manufacturer
receives such a written request from FDA, the manufacturer must submit, without further
requests, a 5-day report for all subsequent events of the same nature that involve substantially
similar devices for the time period specified in the written request. FDA may extend the time
period stated in the original written request if FDA determines it is in the interest of the public
health.

Verify the manufacturer submitted supplemental reports within one month of obtaining information
that was not submitted in an initial report.

Link: Measurement, Analysis and Improvement

Reports of individual adverse events are a form of feedback and must be analyzed as appropriate
for trends requiring improvement or corrective action. During the audit of the Measurement,
Analysis and Improvement process, confirm that the organization has considered individual
adverse events and trends of adverse events in the analysis of data.

2. Verify that advisory notices are reported to regulatory authorities when necessary
and comply with the timeframes and recordkeeping requirements established by
participating regulatory authorities.
Clause and regulation: [ISO 13485:2003: 4.2.1, 8.5.1; see the country-specific requirements below]

Country specific requirements:

Australia (TGA):

Manufacturers are required to implement a post-marketing system that includes provisions for the recovery
of devices – e.g. Therapeutic Goods (Medical Devices) Regulations 2002 Schedule 3 Part 1 Clause 1.4(3)

40 Companion Document
 (c)(ii). In view of the written agreement between Manufacturers and the Australian Sponsor [TG Act 41FD]
proposed recalls must be reported by the manufacturer to the TGA, or to the Sponsor in a timely manner to
ensure that a Sponsor can meet their reporting obligations [Therapeutic Goods (Medical Devices) Regulation
5.7, Therapeutic Goods Act Part 4-9 and the Uniform Recall Procedure for Therapeutic Goods (URPTG)].

Note: Australian Sponsors are required to provide manufacturers with any information that will assist the
manufacturer to comply with the obligations of a conformity assessment procedure (e.g. information in
relation to the recovery of devices) [TG(MD)R Reg 5.8].

Brazil (ANVISA):

Verify that procedures and work flows were established in order to identify when field actions (recalls and
corrections) are necessary, in accordance with the organization’s post-market surveillance system and quality
system [RDC ANVISA 67/2009 - Art. 6º; RDC ANVISA 23/2012 – Art. 1º, Art. 5º].

Verify that the organization keeps records regarding field actions performed, including those that do not need
to be reported to regulatory authorities [RDC ANVISA 23/2012 – Art. 4º; Art. 6º, Art. 10, Art. 11, Art. 16].

For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization has
sent to the regulatory authority the reports requested, according Brazilian regulation [RDC ANVISA 23/2012
– Art. 10, Art. 11].

Verify that the organization has performed field actions based on potential or concrete evidence that their
product does not comply with essential requirements of safety and effectiveness [RDC ANVISA 23/2012 –
Art. 4º, Art. 6º, Art. 7º, Art. 13, Art. 14, Art. 15].

For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization has
performed field actions when required by the regulatory authority [RDC ANVISA 23/2012 – Art. 6º].

For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization
notified the regulatory authority regarding field actions, in accordance with requirements and deadlines
established per Brazilian regulation [RDC ANVISA 23/2012 – Art. 7º, Art. 8º].

For international manufacturers, verify that the legal representative in Brazil was aware about the occurrence
of field actions performed on products exported to Brazil [RDC ANVISA 67/2009 – Art. 8º].

Canada (HC):

Medical Device Regulations SOR/98-282, Section 63 – 65.1:

Verify that the manufacturer and the importer of a medical device, on or before undertaking a recall of a
device provide the minister with the following information [CMDR 64]:

(a) the name of the device and its identifier, including the identifier of any medical device that is part of a
system, test kit, medical device group, medical device family or medical device group family;
(b) the name and address of the manufacturer and importer, and the name and address of the
establishment where the device was manufactured, if different from that of the manufacturer;
(c) the reason for the recall, the nature of the defectiveness or possible defectiveness and the date on
and circumstances under which the defectiveness or possible defectiveness was discovered;
(d) an evaluation of the risk associated with the defectiveness or possible defectiveness;
(e) the number of affected units of the device that the manufacturer or importer
(i) manufactured in Canada,
(ii) imported into Canada, and
(iii) sold in Canada;
(f) the period during which the affected units of the device were distributed in Canada by the
manufacturer or importer;

Companion Document 41
 (g) the name of each person to whom the affected device was sold by the manufacturer or importer and
the number of units of the device sold to each person;

(h) a copy of any communication issued with respect to the recall;

(i) the proposed strategy for conducting the recall, including the date for beginning the recall,
information as to how and when the Minister will be informed of the progress of the recall and the
proposed date for its completion;

(j) the proposed action to prevent a recurrence of the problem; and

(k) the name, title and telephone number of the representative of the manufacturer or importer to contact
for any information concerning the recall.

Verify that as soon as possible after the completion of the recall the manufacturer and the importer reports to
the minister the results of the recall and the action taken to prevent a recurrence of the problem [CMDR 65].

If the reports required by section 64 and 65 are submitted to the Minister just by the Importer, verify that the
manufacturer has advised the Minister in writing that the reports the manufacturer and importer would have
submitted were identical and that the manufacturer has permitted the importer to prepare and submit reports
to the Minister on the manufacturer’s behalf [CMDR 65.1].

United States (FDA):

21 CFR 806: Medical Devices; Reports of Corrections and Removals

Verify that the manufacturer has a process in place to notify FDA in the event of actions concerning device
corrections and removals and to maintain records of those corrections and removals.

Verify that the written report to FDA of any correction or removal initiated to reduce a risk to health or remedy
a violation of the U.S. Food, Drug and Cosmetic Act is reported within 10 working days of initiating the
correction or removal.

Confirm that the manufacturer maintains records of any correction and removal not required to be reported
to FDA (e.g. corrections and removals conducted to correct a minor violation of the U.S. Food, Drug and
Cosmetic Act or no risk to health)

Link: Measurement, Analysis and Improvement

Corrections and removals are indicative that the product or process does not meet specified
requirements or planned results and the nonconformity was not detected prior to distribution.
When specified requirements or planned results are not achieved, correction and corrective action
must be taken as necessary. During the audit of the Measurement, Analysis and Improvement
process, confirm the organization has taken appropriate correction regarding devices already
distributed, and taken appropriate corrective action to prevent recurrence of the condition(s) that
caused the nonconformity.

42 Companion Document
 Medical Device Single Audit Program
Chapter 5
Process: Design and Development

The purpose of the Design and Development process is to control the design process and to assure
that devices meet user needs, intended uses, and specified requirements. Attention to design and
development planning, identifying design inputs, developing design outputs, verifying that design
outputs meet design inputs, validating the design, controlling design changes, reviewing design
results, transferring the design to production, and compiling the appropriate records will help an
organization assure that resulting designs will meet user needs, intended uses, and requirements.
The management representative is responsible for ensuring that the requirements of the quality
management system have been effectively defined, documented, implemented, and maintained.
Prior to the audit of any process, interview the management representative (or designee) to obtain an
overview of the process and a feel for management’s knowledge and understanding of the process.
Audit of the Design and Development process will follow audit of the Measurement, Analysis and
Improvement process per the MDSAP audit sequence. Information regarding product or quality
system nonconformities noted during audit of the Measurement, Analysis and Improvement process
should be considered when making decisions as to the design and development projects, including
design changes resulting from corrective actions, to be reviewed during the audit of the Design
and Development process. Review of the Design and Development process will also provide an
opportunity to evaluate how the organization has utilized risk management activities to ensure design
inputs are comprehensive and meet user needs, to confirm that risk control measures that were
planned have been implemented in the design, and to verify that risk control measures are effective
in controlling or reducing risk. Additionally, review of design and development activities will assist
the audit team during the audit of the organization’s Purchasing process because the auditor(s)
has an opportunity to select suppliers for review whose activities are associated with higher risk to
the product or whose activities are critical to the essential design outputs. The review of design
and development activities also provides information to assist the audit team in performing a final
evaluation of the Management process at the conclusion of the audit.
Auditing the Design and Development Process
Purpose: The purpose of auditing the Design and Development process is to verify that the
organization establishes, documents, implements, and maintains controls to ensure that medical
devices meet user needs, intended uses, and specified requirements.
Outcomes: As a result of the audit of the Design and Development process, objective evidence will
show whether the organization has:
A) Defined, documented and implemented procedures to ensure medical devices are designed
according to specified requirements
B) Effectively planned the design and development of a device
C) Established mechanisms, including systematic review, for addressing incomplete, ambiguous or
conflicting requirements

Companion Document 43
D) Determined the internally or externally imposed requirements for safety, function, and performance
for the intended use, including regulatory requirements, risk management, and human factors
requirements
E) Verified that design outputs satisfy design input requirements
F) Identified and mitigated, to the extent practical, the risks associated with the device, including the
device software
G) Ensured that changes to the device design are controlled, the risks associated with the design
change are identified and mitigated, to the extent practical, and that the device will continue to
perform as intended
H) Performed design validation to ensure devices conform to user needs and intended use
I) Confirmed that the design is correctly translated into production methods and procedures

Links to Other Processes: Purchasing; Production and Service Controls; Measurement,

Analysis and Improvement; Device Marketing Authorization and Facility Registration

Audit Tasks and Links to Other Processes:

1. Verify that those devices that are, by regulation, subject to design and development
procedures have been identified.
Clause and regulation: [ISO 13485:2003: 4.1, 4.2.1, 7.1, 7.3.1; TG(MD)R Regs Division 3.2; 21 CFR 820.30(a)]

Additional country-specific requirements:

Australia (TGA):

Verify that the manufacturer prepares and maintains complete and current objective evidence that demonstrates
compliance with the Essential Principles of Safety and Performance [TG(MD)R Sch3 P1 1.4(5)(c) & 1.9].

Verify that devices to be sold in Australia have labeling and instructions for use that comply with the Essential
Principles for information that is to be provided with a device [TG(MD)R Sch1 P2 13].

When the Therapeutic Goods (Medical Devices) Regulations 2002 does not require a manufacturer to
apply design and development controls for the Class of the medical device (Class IIa, Class I Measuring,
Class I Sterile), the manufacturer shall prepare and maintain complete and current objective evidence that
demonstrates compliance with the Essential Principles of Safety and Performance [see TG(MD)R Sch3 P6
6.4 - Required Technical Documentation].

Brazil (ANVISA):

According to Brazilian legislations, there is no exception to design control.

If design activities are outsourced, verify that the manufacturer has a complete device master record for the
device and records of the design transfer to production [RDC ANVISA 16/2013: 4.1.7, 4.2].

Canada (HC):

With respect to Class II devices that are not subject to Design and Development controls, verify that the
manufacturer has objective evidence to establish that Class II devices meet the safety and effectiveness
requirements of section 10 to 20 [CMDR 9, 10 to 20].

44 Companion Document
 Assessing conformity:

Absence of design activity

The audit team may encounter situations where the organization has not completed any design
projects, has no ongoing or planned design projects, and has not made any design changes
(i.e., there has been no design activity). At the minimum, verify that the organization maintains a
defined and documented design change procedure. An organization may also have defined and
documented other design control procedures. For that type of organization — an organization
with no design activity, including no design changes — assess the procedures the organization
has in place. The audit team can then proceed to the audit of the next process.
Outsourced design activities
In cases where design activities (development and changes) are completely outsourced by
the organization, the audit team must verify (at a minimum) that the controls and records
related to the design transfer to production have been determined and that the production line,
implemented in the manufacturer site, meets the production requirements established during the
design and development of the device. In these cases, the manufacturer shall ensure that the
contracted organization complies with the requirements of design and development, established
by Medical devices – Quality management systems – Requirements for regulatory purposes (ISO
13485:2003), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), the Quality System
Regulation (21 CFR Part 820), and any other specific requirements of medical device regulatory
authorities participating in the MDSAP program.

Link: Purchasing
If the organization outsources design and development activities, or any portion of the design
and development, confirm that the organization treats the outsourced firm as a supplier, has
appropriately qualified and maintains control over the supplier, communicates requirements to the
supplier, including regulatory requirements, and has arrangements to verify that the design and
development activities satisfy those requirements.

2. Select a completed (where applicable) design and development project for review.
Priority criteria for selection:
• complaints or known problems with a particular device
• product risk
• recent design changes, particularly design changes made to correct quality problems
associated with the device design
• age of design (prefer most recent)
• designs that have not been recently audited

Companion Document 45
 Link: Measurement, Analysis and Improvement
At this point in the audit, the audit team will have already reviewed the Measurement, Analysis and
Improvement process. If the auditors noted corrective actions that resulted in design changes,
or noted product nonconformities that have been attributed to the design of the device, the audit
team should consider selecting those designs for review. The audit team should be particularly
mindful of how the identified quality problems from the Measurement, Analysis and Improvement
process are related to specific aspects of the design and development of the device. For
example, if the auditors review complaints related to a safety feature of the device that is not
performing as intended, the audit team should consider selecting for review the design verification
of that safety feature and determine whether appropriate risk control methods were confirmed to
be effective.

3. Verify that the design and development process is planned and controlled. Review the
design plan for the selected design and development project to understand the design
and development activities; including the design and development stages, the review,
verification, validation, and design transfer activities that are appropriate at each stage;
and the assignment of responsibilities, authorities, and interfaces between different
groups involved in design and development.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.3.1; TG(MD)R Sch3 P1 Cl 1.4(4)&(5)(c); RDC ANVISA
16/2013: 4.1.2, 4.1.11; 21 CFR 820.30(b), 820.30(j)]

Additional country-specific requirements:

Australia (TGA):

Verify that effective planning for design and development is documented, typically as part of a Quality Plan
[TG(MD)R Sch3 P1 Cl 1.4(4)].

Canada (HC):

Verify that manufacturers of Class IV devices maintain a quality plan that sets out the specific quality
practices, resources, and sequence of activities relevant to the device [CMDR 32].

Assessing conformity:

Reviewing the design plan

Review the design plan for the selected project to understand the layout of the design and
development activities, including assigned responsibilities and interfaces.
The design plan for the selected project can be used by the audit team as a roadmap for the
review of the project. Plans may vary depending on the type or size of the project. Some
design plans may be expressed as simple flowcharts, or for larger projects, Gantt or Program
Evaluation Review Technique (PERT) charts may be used. Plans do not have to show starting
or completion dates for activities covered. However, plans must define responsibility for
implementation of the design and development activities and describe the interfaces with different
groups or activities. Expect to see interfacing between research and development, marketing,
regulatory, manufacturing, and quality departments. The audit team might also see interfacing
with purchasing, installers, and servicers. When external institutions (e.g. universities or research
and development centers) are involved in the design and development activities, the interfaces
between the organization and those external institutions must also be defined.

46 Companion Document
 Design and development plans may change while the design and development process evolves;
however, all changes on the plan must be documented and approved.
4. For the device design and development record(s) selected, verify that design and
development procedures have been established and applied. Confirm the design
and development procedures address the design and development stages, review,
verification, validation, design transfer, and design changes.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.3.1; TG(MD)R Sch3 P1 Cl 1.4(4)&(5)(c); RDC ANVISA 16/2013:
4.1.1; 21 CFR 820.30(a), 820.30(j)]

Additional country-specific requirements:

United States (FDA):

Verify that the design input procedures contain a mechanism for addressing incomplete, ambiguous, or
conflicting requirements [21 CFR 820.30(c)].

Assessing conformity:

Review of procedures
Design and development procedures set the structure, provide the framework, and support the
organization’s Design and Development process. The purpose of auditing the procedures is to
determine if the organization has that framework in place. If procedures have not been defined
and documented, or are deficient, the organization’s devices may not meet user needs and
intended use.
In accomplishing this audit task, the audit team is to review the organization’s procedures and
verify that the procedures address the requirements of the Medical devices – Quality management
systems – Requirements for regulatory purposes (ISO 13485:2003), Brazilian Good Manufacturing
Practices (RDC ANVISA 16/2013), the Quality System Regulation (21 CFR Part 820), and specific
requirements of medical device regulatory authorities participating in the MDSAP program. For
example, verify that the design input procedure includes a mechanism for addressing incomplete,
ambiguous, or conflicting requirements. Verify that the output procedure ensures that essential
outputs are identified. Verify that the design review procedure ensures that each design review
includes an individual who does not have responsibility for the design stage being reviewed.
Minimum requirement
If the organization has no ongoing or planned design projects, has not made any design changes,
then ensure that, at a minimum, the organization maintains defined and documented design
change procedures.
5. Verify that design and development inputs were established, reviewed and approved;
and that they address customer functional, performance and safety requirements,
intended use, applicable regulatory requirements, and other requirements including
those arising from human factors issues, essential for design and development.
Verify that any risks and risk mitigation measures identified during the risk management process are used
as an input in the design and development process.
Clause and regulation: [ISO 13485:2003: 4.2.1, 5.2, 7.2.1, 7.3.2; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(2)&(5)(c);
RDC ANVISA 16/2013: 2.4, 4.1.3, 4.1.11; CMDR 10-20, 21-23; 21 CFR 820.30(c), 820.30(g)]

Companion Document 47
 Additional country-specific requirements:

Australia (TGA):

Verify that the manufacturer has identified the relevant Essential Principles that apply to the medical device
[TG(MD)R Sch1 Essential Principles].

United States (FDA):

For the selected device(s), verify that the firm has the appropriate marketing clearance [510(k)] or pre-market
approval (PMA) if distributing the devices in the United States [21 CFR 807].

Assessing conformity:

Design inputs
Inputs are the physical and performance requirements of a device that are used as a basis for
device design. Inputs must be documented and approved by appropriate personnel. The audit
team should review the sources used to develop the inputs and determine that relevant aspects
of the requirements for the device were covered. These sources must include the relevant
regulations where safety and performance criteria have been defined (e.g. safety and efficacy
requirements or Essential Principles of Safety and Performance). Examples of relevant aspects
include intended use, performance characteristics, intended user, risk mitigation, biocompatibility,
compatibility with the environment of intended use (including electromagnetic compatibility),
software, radiation protection, human factors, and sterility. Organizations must take into account
the current thinking of experts where published information is available (e.g. Standards).
Design inputs are the basis of the design verification and validation; therefore, design inputs need to
be defined and recorded as formal requirements that allow for confirmation to the design outputs.
Relevant information for design input can also come from post-production data or experience
from similar devices. Complaints and adverse events form a feedback system that can help drive
quality improvements in new designs and changes to current designs.

Link: Device Marketing Authorization and Facility Registration

Confirm the organization has considered regulatory requirements for registration, listing,
notification and licensing; and has complied with these requirements prior to marketing the device
in the applicable regulatory jurisdictions.

6. Confirm that the design and development inputs are complete, unambiguous, and not in
conflict with each other.
Clause and regulation: [ISO 13485:2003: 7.3.2; TG(MD)R Sch 3 Part 1.4(4), RDC ANVISA 16/2013: 4.1.3; 21 CFR
820.30(c)]

Additional country-specific requirements: None

Assessing conformity:

Design inputs
Design inputs must be defined and recorded as verifiable requirements, approved by the
appropriate personnel. If the organization does not have accurate and complete design inputs,
the final design may not meet user needs and intended use.

48 Companion Document
 A common method for an organization to confirm the design inputs for a design and development
project are complete, unambiguous, and not in conflict with each other is to perform a design
review after the initial requirements are determined.
7. Review medical device specifications to confirm that design and development
outputs are traceable to and satisfy design input requirements. Verify that the design
and development outputs essential for the proper functioning of the medical device
have been identified. Outputs include, but are not limited to, device specifications,
specifications for the manufacturing process, the quality assurance testing, and device
labeling and packaging.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.3.3; 7.3.5; TG(MD)R Sch3 P1 Cl 1.4(5)(c); RDC ANVISA 16/2013:
4.1.5, 4.1.4, 4.1.11; 21 CFR 820.30(d), 820.30(f)]

Additional country-specific requirements:

Australia (TGA):

Confirm that documentation identifies whether relevant state of the art standards have been applied in full
or in part. If standards have not been applied, ensure that the manufacturer has documented a rationale to
explain why alternative methods have been applied to demonstrate compliance with the Essential Principles
[TG(MD)R Sch3 Part 1.4(5)(c)(iii)(C)].

For devices incorporating a medicinal substance, verify that documentation also identifies the data to be
derived from tests conducted in relation to the substance, and its interaction with the device [TG(MD)R Sch 3
Part 1.4(5)(c)(v)].

Assessing conformity:

Design outputs
Design outputs are the work products or deliverables of a design stage. Design outputs
can include documents such as diagrams, drawings, specifications, and procedures. The
outputs from one stage may become inputs to the next stage. The total finished design output
consists of the specifications for the device, its packaging and labeling, quality management
system requirements, the manufacturing process, and if applicable, installation and servicing
requirements. During this design stage, a tremendous number of records, or outputs, can be
produced. Only the approved outputs need to be retained. However, if an organization chooses to
retain other records, for historical or other purposes, they may do so.
Essential outputs
Outputs that are essential for the proper functioning of the device must be identified. Typically, an
organization can use a risk management tool to determine the essential outputs. To verify that
this has been done, the auditor(s) may review the organization’s process for determining how
the essential outputs were identified and if it was done in accordance with their design output
procedures. The identification of essential outputs may influence other quality system activities.
For example, the establishment of manufacturing process tolerances, the degree of purchasing
controls and acceptance activities applied to a supplier or the priority and depth of a failure
investigation may be influenced by whether or not the component (assembly, material, etc.) is
considered an output essential for the proper functioning of the device.
Design verification
In design verification, the organization obtains objective evidence (i.e., data) that design outputs

Companion Document 49
 meet design inputs. An organization generates this objective evidence by conducting verification
activities such as tests, measurements, and analyses. These activities should be explicit and
thorough in their execution. An organization’s verification activities should be predictive, not
empiric. In other words, acceptance criteria need to be stated in advance of the verification
activity. The establishment of pre-determined acceptance criteria may be found in a verification
protocol or similar document. During the review of design verification activities, the auditor(s)
will determine if the design verification data confirms that design outputs met the design input
requirements.
Verification techniques
Complex designs will require more and different types of verifications than simple designs.
Sometimes an organization has to use its own expertise to develop (in-house) a way to verify a
particular aspect of a design. Any approach selected by an organization is acceptable as long as
it provides reliable objective evidence that the output met the input.
Choosing verification activities for review
In accomplishing this audit task, select records generated from design verification activities
associated with a number of design inputs and design outputs. The review of these records
will determine whether design outputs met design input requirements. When possible, select
documentation of design verification activities that are associated with outputs that are considered
essential for the proper functioning of the device.

Links: Purchasing, Production and Service Controls

During the review of a design project, the audit team should be mindful of production processes
and supplied products that are essential to the proper functioning of the device. Production
processes can include not only the manufacturing instructions, but also internal controls, such
as the type and extent of acceptance activities, equipment calibration and maintenance intervals,
environmental controls, and personnel controls. For suppliers that provide products and
services related to the essential design outputs, the degree of purchasing controls necessary is
commensurate with the effect of the supplied product on the proper functioning of the finished
device.

During the audits of the Purchasing process and Production and Service Controls process, the
audit team should consider reviewing production processes and supplied products that have the
highest risk or greatest effect on the essential design outputs.

8. Verify that risk management activities are defined and implemented for product and process design and
development. Confirm that risk acceptability criteria are established and met throughout the design
and development process. Verify that any residual risk is evaluated and, where appropriate,
communicated to the customer (e.g., labeling, service documents, advisory notices,
etc.).
Note:
In some instances, it may be necessary for the manufacturer to conduct a risk/benefit analysis to
justify a risk that cannot be mitigated to an acceptable level.

50 Companion Document
Additionally,it may be necessary to audit other processes (e.g. Production and Service Controls,
Purchasing) to verify that risk acceptability criteria are met, risk is controlled or reduced, and residual
risk is communicated if necessary.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.3.2; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(c)(iii); RDC
ANVISA 16/2013: 2.4, 4.1.11, RDC ANVISA 56/2001; CMDR 10, 11, 16; 21 CFR 820.30(g)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has established and maintains a continuous process of risk management which
covers the entire life cycle of the product. Possible hazards must be identified in both normal and fault
conditions, including those arising from human factors issues. The risk associated with those hazards, shall
be calculated. Risks must be analyzed, evaluated and controlled, as necessary. Effectiveness of risk controls
implemented shall be evaluated [RDC ANVISA 56/2001, RDC ANVISA 16/2013: 2.4].

United States (FDA):

Confirm that the manufacturer has identified the possible hazards associated with the device in both normal
and fault conditions. The risks associated with the hazards, including those resulting from user error,
should be calculated in both normal and fault conditions. If any risk is judged to be unacceptable, it should
be reduced to acceptable levels by the appropriate means. Ensure changes to the device to eliminate or
minimize hazards do not introduce new hazards [21 CFR 820.30(g); preamble comment 83].

Assessing conformity:

Risk management
Each organization must determine how much risk is acceptable. The actual use of any medical
device includes some measure of risk to users or patients. Determining an acceptable level of risk
depends on the intended use of the device, including the particular health concern of the patient
population, the training of the users involved, and the use environment. For example, pediatric
patients may have less ability to detect a device malfunction. A device used by consumers
generally has less medical oversight than a device used in a hospital setting. The goal of a risk
management program is to ensure the device is as safe as practical and the safety of the device is
acceptable for the intended use.
Effective risk management usually starts in conjunction with the design and development process,
proceeds through product realization, including the selection of suppliers, and continues until
the time the product is decommissioned. Risk management should be initiated at a point early
in the design and development process. This includes defining the intended use of the device,
considering risk under normal use and reasonably foreseen misuse. Starting the risk management
process after the design has progressed beyond a point where reasonable risk mitigation features
can be included in the design can lead to devices that do not meet customer needs and the
organization’s requirements for safety. Records of risk management should demonstrate that
risks that have been identified as unacceptable have been mitigated to an acceptable level.
Mitigation of risks
There are a number of mechanisms that can be used to mitigate product risk. These risk
mitigation mechanisms, in descending order of effectiveness, include safety features inherent in
the device design, protective measures in the design (e.g. alarms), and user notifications (e.g.
labeled warnings).

Companion Document 51
 Review of risk management activities
During the review of the design project selected, verify that risk management is initiated early in
the design and development process. Confirm that the organization’s risk management process
involves the proactive evaluation, control, and monitoring of product risk, followed by the reactive
response to quality data that indicates new or changing product risk.
9. Confirm that design verification and/or design validation includes assurances that risk control measures
are effective in controlling or reducing risk.
Clause and regulation: [ISO 13485:2003: 7.1, 7.3.5, 7.3.6; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(c); RDC ANVISA
16/2013: 2.4, 4.1.4, 4.1.8, 4.1.11; CMDR 10,16; 21 CFR 820.30(f), 820.30(g)]

Additional country-specific requirements: None

Assessing conformity:

Verification of risk control measures

During the review of design verification activities for the chosen design project, confirm that the
identified risk control measures are actually effective in reducing or controlling risk. For example,
a design for an enteral feeding tube may have a unique connector to prevent the potential for
misconnection to other types of devices, such as suction catheters. Design verification should
show that it is difficult or impossible to connect non-related devices to the enteral feeding tube.
10.Verify that design and development validation data show that the approved design
meets the requirements for the specified application or intended use(s). Verify that design
validation testing is adjusted according to the risk of the product and element being validated.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.3.6; TG(MD)R Sch1 P1 2; Sch3 P1 Cl1.4(5)(d); RDC ANVISA
16/2013: 2.4, 4.1.8, 4.1.11; CMDR 12; 21 CFR 820.30(g)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that design validation has been performed under defined operating conditions on initial production
units, lots, or batches. Validation shall include device testing under real or simulated conditions of use.
Design validation shall include software validation, as necessary. Stability studies shall be performed as
necessary [RDC ANVISA 16/2013: 4.1.8].

United States (FDA):

Verify that design validation has been performed on initial production units, lots, or batches, or their
equivalents. When equivalent devices are used in the final validation, the manufacturer must document in
detail how the device was manufactured and how the device is similar to and possibly different from initial
production. When there are differences, the manufacturer must justify why design validation results are valid
for the production units, lots, or batches. Verify that design validation includes testing of production units
under actual or simulated use conditions [21 CFR 820.30(g)].

Assessing conformity:

Design validation
Design validation is performed to provide objective evidence that design specifications (outputs)
conform to user needs and intended uses. Design validation must be completed before
commercial distribution of the product.

52 Companion Document
 The design validation activities should be predictive, not empiric. In other words, acceptance
criteria need to be stated in advance of the validation activity. The establishment of pre­
determined acceptance criteria may be found in a validation protocol or similar document.
Design validation must be performed under defined operating conditions on initial production
units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform
to defined user needs and intended uses and includes testing of production units under actual
or simulated use conditions. The results of the design validation, including identification of the
design, method(s), the date, and the individual(s) performing the validation, must be recorded.
Needs, environment and uses
Design validation must address the needs of all relevant parties, such as the patient, healthcare
worker, biomedical engineer, and storage clerk. Consideration must be given to the environment
in which the device will be stored, transported, and used. Design validation needs to be performed
for each intended use. Design validation must also confirm that user needs and intended uses
associated with the device’s packaging and labeling are met. These outputs have human factors
implications and unless they are adequately considered during design validation, they may adversely
affect the device and its use. Confirm that design validation data show that the approved design
met the predetermined user needs and intended uses. The intended uses must include the purpose
of the device, patient type (adults, pediatrics or newborn) and the environment in which the device is
to be transported and used (domestic use, hospitals, ambulances, etc.).
11.Verify that clinical evaluations and/or evaluation of the medical device safety and
performance were performed as part of design validation if required by national or
regional regulations.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.3.6; TG(MD)R Reg 3.11, Sch3 P1 Cl 1.4(5)(c)(vii), Sch3 P8; RDC
ANVISA 16/2013: 4.1.8, 4.1.11, RDC ANVISA 56/2001; CMDR 12; 21 CFR 820.30(g)]

Additional country-specific requirements:

Australia (TGA):

Verify that records of the validation include clinical evidence as required by the clinical evidence procedures
[TG(MD) Sch3 P1 Cl 1.4(5)(c)(vii) and TG(MD) Sch3 P8].

Assessing conformity:

Clinical evaluations and testing

Design validation may involve the performance of some sort of clinical evaluation, including testing
under actual or simulated use conditions. Clinical evaluations may involve full clinical studies. Clinical
evaluations may also consist of other evaluations in a clinical or non-clinical setting, provision of
historical evidence that similar designs are clinically safe, or reviews of scientific literature.
The audit team should limit their review of clinical evaluations to verifying whether clinical
evaluations have been performed as part of design validation, when necessary, and whether the
organization has established acceptance criteria for the results in order to validate the device and
that the results obtained meet the defined acceptance criteria.
When applicable, review the clinical evaluations, if performed, to validate the design. The audit
team should confirm that the data from clinical evaluations demonstrates that the user needs and
intended uses for the device and its packaging and labeling were met.

Companion Document 53
12.If the medical device contains software, verify that the software was subject to the
design and development process. Confirm that the software was included within the risk
management process.
Clause and regulation: [ISO 13485:2003: 7.3.1, 7.3.6; TG(MD)R Sch1 P1 2, Sch1 EP12.1; RDC ANVISA 16/2013:
2.4, 4.1.8, 4.1.11; CMDR 20; 21 CFR 820.30(g)]

Additional country-specific requirements: None

Assessing conformity:

Software development
Many devices are at least partially controlled by software. Some devices consist almost entirely
of software. For the device software, confirm that the software is part of the design and
development plan for the device. The life cycle requirements for medical device software must be
defined, including the intended use.
Software verification
“Software verification” is a term often used to describe the testing of the software. During the review of
the software development, confirm that the organization has conducted appropriate verification activities.
Verification is often accomplished by performing test cases at the unit, subsystem, and integration levels;
as well as system functional testing. Software verification can include the testing of the software product
installed on the target hardware. As with other types of design verification, verification of software is
a predictive activity. The acceptance criteria must be determined prior to performing the testing. The
predetermined acceptance criteria are often found in a verification protocol or similar document. Confirm
that the predetermined acceptance criteria have been met by reviewing the actual results of the selected
software tests. The risk management activities for the device and software can help guide the audit team
as to which verification tests involve the essential design outputs of the device and software.
Software validation
Software validation is a “confirmation by examination and provision of objective evidence that
software specifications conform to user needs and intended uses, and that the particular
requirements implemented through software can be consistently fulfilled.” It involves checking for
proper operation of the software in its actual or simulated use environment, including integration
into the final device where appropriate. Testing of device software functionality in a simulated
use environment, and user site testing are typically included as components of an overall design
validation program for a software automated device.
The audit team may encounter times when the software has been installed at user sites as part of
validation, often referred to as “beta testing”. Beta testing can be a method to confirm the device,
including the software, meets the user needs and intended uses.
13. Verify that design and development changes were controlled, verified (or where
appropriate validated), and approved prior to implementation. Confirm that any new risks
associated with the design change have been identified and mitigated to the extent practical.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.3.7; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(f), Sch3 P1
Cl1.5(4); RDC ANVISA 16/2013: 2.4, 4.1.4, 4.1.8, 4.1.10, 4.1.11, Brazilian Law 6360/76 - Art. 13; CMDR 1, 34; 21
CFR 820.30(i)]

54 Companion Document
Additional country-specific requirements:

Australia (TGA):

Verify that the manufacturer has a process or procedure for notifying the auditing organization of a substantial
change to the design process or the range of products to be manufactured [TG(MD)R Sch3 Cl1.5].

Verify that the manufacturer has a process or procedure for identifying a proposed substantial change to the
design, or the intended performance, of a Class AIMD or Class III device, and to notify the assessment body
prior to implementing the change [TG(MD)R Sch3 P1 Cl 1.6(4)].

Brazil (ANVISA):

If the medical device evaluated is already registered/notified with ANVISA, verify that the design change was
correctly and promptly submitted to ANVISA for approval, when applicable [Brazilian Law 6360/76 - Art. 13].

Canada (HC):

Verify that the manufacturer has a process or procedure for identifying a “significant change” to a Class III or
IV medical device. Verify that information about “significant changes” is submitted in a medical device license
amendment application [CMDR 1, 34].

United States (FDA):

Verify that the firm obtained a new 510(k) or supplement to the pre-market approval if required [21 CFR 807].

Assessing conformity:

Procedures
An organization may have separate change control procedures to handle the post-production and
pre-production changes, or an organization may have one procedure that handles both.
Nature of change
The documentation and control of changes begins when the initial design inputs are approved
and continues for the life of the product. Design change control applies to changes to inputs or
outputs as a result of design verification or design validation, changes to labeling or packaging,
changes to enhance a product’s performance, changes of production process(es), and changes
that result from product complaints. Change can be acceptable as long as it is controlled.
Records
The control of changes is not complete until the results of the review of changes and any updates
to product specifications or changed processes are documented or amended.
Communication and consequential actions
Changes need to be effectively communicated and requirements for any consequential actions
should be defined (e.g. training or communication to design or production staff).

Companion Document 55
 Link: Measurement, Analysis and Improvement process (if a design change was made to
correct a quality problem with the device); Device Marketing Authorization and Facility
Registration
During the audit of the Measurement, Analysis and Improvement process, the auditors may
encounter corrective actions or preventive actions that resulted in design changes. When
corrective action or preventive action involves changing the design, confirm that design controls
have been applied to the change, in accordance with the organization’s procedures. Confirm
these design changes were effective in addressing the quality issues or potential quality issues
identified in corrective or preventive action. In addition, the design change should be evaluated
under the organization’s risk management process to ensure that changes do not introduce
new hazards. Some changes may require revalidation where it is not possible to verify that
requirements have been met after the change has been implemented.

The audit team should also confirm the organization has considered regulatory requirements for
registration, listing, notification and licensing; and has complied with these requirements prior to
marketing the changed device in the applicable regulatory jurisdictions.

14.Verify that design reviews were conducted at suitable stages as required by the
design and development plan. Confirm that the participants in the reviews include
representatives of functions concerned with the design and development stage being
reviewed, as well as any specialist personnel needed.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.3.1, 7.3.4; TG(MD)R Sch3 P1 C1.4(5)(c)(i); RDC ANVISA 16/2013:
4.1.6, 4.1.11; 21 CFR 820.30(e)]

Additional country-specific requirements:

United States (FDA):

Verify that procedures ensure that participants include representatives of all functions concerned with the
design stage being reviewed and an individual(s) who does not have direct responsibility for the design stage
being reviewed, as well as any specialists needed [21 CFR 820.30(e)].

Assessing conformity:

Design reviews
Design reviews typically occur at the end of each design stage or phase or after the completion of
project milestones. The number of design reviews can vary, but at a minimum, one formal review
must be conducted. Reviews should provide feedback to the design team on emerging problems,
assess the progress of the design and development project, and confirm that the design is ready
to move to the next phase of development or for transfer to the manufacturing phase.
It is not necessary to have fully convened meetings for all design reviews. For simple designs
or minor changes, desk reviews and sign-offs may be adequate. Design reviews must include
an individual who does not have direct responsibility for the design stage being reviewed and
representation from manufacturing to ensure that design and development outputs are verified as
suitable for manufacturing before becoming final production specifications.
During the review of design review activities for the selected design project, confirm that the reviews
included an individual who did not have direct responsibility for the design stage being reviewed. The
audit team should also confirm that outstanding action items are being resolved or have been resolved.

56 Companion Document
15.Verify that design changes have been reviewed for the effect on products previously
made and delivered, and that records of review results are maintained.
Clause and regulation: [ISO 13485:2003: 7.3.7; RDC ANVISA 16/2013: 4.1.10; 21 CFR 820.30(i)]

Additional country-specific requirements: None

Assessing conformity:

Effects on constituent parts and products already delivered

There are situations where a design change can affect constituent parts. For example, a change
to a disposable portion of an aspiration system might affect the ability of the disposable to
connect to the console. When necessary, ensure the design change does not negatively impact
products in distribution.
16.Determine if the design was correctly transferred to production.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.3.1; RDC ANVISA 16/2013: 4.1.7, 4.1.9, 4.1.11, 4.2; 21 CFR
830.30(h)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that procedures ensure that the device design is correctly translated into production specifications
[RDC ANVISA 16/2013: 4.1.7].

Confirm that the manufacturer ensures that the design release occurs only after the approval(s) of a
designated person. Before the final release, design and development records must be reviewed to confirm
that the design is complete and that the final design meets the approved design. Final release, including
signature(s) (manual or electronic) and dates, shall be documented [RDC ANVISA 16/2013: 4.1.9, 4.1.11].

Verify that production specifications are documented (e.g. Device Master Record – DMR). The record
shall include or make reference to: a) device specifications, including software source code (if applicable),
drawings, composition (BOM – bill of materials), etc.; b) production specifications (ex. work instructions,
environmental controls, measurement equipment, etc.); c) labeling and packaging specifications; c)
measurements, inspections, and tests, with acceptance criteria; and d) methods and procedures for
installation and servicing (if applicable) [RDC ANVISA 16/2013: 4.2].

Assessing conformity:

Transferring the design to production

During this phase, the design is translated into production specifications. This can take place
in steps or phases. The audit team should review how the design for the selected project was
transferred into production specifications. Based on the organization’s identification of essential
outputs and risk management activities, review significant elements of the manufacturing
processes, including products from suppliers and the established tolerances for processes, and
compare them with the approved design outputs contained within the design records. These
activities can confirm whether or not the design was correctly transferred.
Design transfer is a process that may be initiated not only at the end of the design and development
process, but may also be initiated immediately before validation stages and may continue as design
and development evolves. This early initiation of design transfer is helpful in order to have production
processes and device validations conducted properly and allow for corrections during the process.
At the end, design and development process is “finalized” by a “final design transfer.”

Companion Document 57
 Link: Production and Service Controls, Purchasing
Verify that production processes for the device, including process validation (if required) have been
defined, documented, and implemented. Confirm that potential hazards that could be introduced
or exacerbated by the production process have been identified, and production controls have
been established. Production processes include not only the manufacturing instructions, but also
internal controls, such as the type and extent of acceptance activities, equipment calibration and
maintenance intervals, environmental controls, and personnel controls.

Confirm that the manufacturer has determined the type and extent of supplier controls based on
the relationship between the supplied products and services and product risk.

17.Determine, based on the assessment of the design and development process

overall, whether management provides the necessary commitment to the design and
development process.
Clause and regulation: [ISO 13485:2003: 4.1, 5.1, 5.5.1; TG(MD)R Sch3 P1 Cl 1.4(5)(b)(ii); RDC ANVISA 16/2013: 2.2.1]

58 Companion Document
 Medical Device Single Audit Program
Chapter 6
Process: Production and Service Controls

The purpose of the Production and Service Controls process is to manufacture products that meet
specifications. Developing processes that are adequate to produce devices that meet specifications,
validating (or fully verifying the results of) those processes, and monitoring and controlling those
processes are all steps that help assure the result will be devices that meet specified requirements.
After completing the audit of the organization’s Production and Service Controls process, the audit
team will return to the Management process to make a final decision of whether top management
ensures that an adequate and effective quality management system has been established and
maintained at the organization.
In order to meet the Production and Service Controls requirements of Medical devices – Quality
management systems – Requirements for regulatory purposes (ISO 13485:2003), Brazilian Good
Manufacturing Practices (RDC ANVISA 16/2013), the Quality System Regulation (21 CFR Part
820), and specific requirements of medical device regulatory authorities participating in the MDSAP
program, the organization must understand when deviations from device specifications could occur
as a result of the production process or environment.
The management representative is responsible for ensuring that the requirements of the quality
management system have been effectively defined, documented, implemented, and maintained.
Prior to the audit of any MDSAP process, interview the management representative (or designee) to
obtain an overview of the process and a feel for management’s knowledge and understanding of the
process.
Audit of the Production and Service Controls process will follow audit of the Measurement, Analysis
and Improvement process and the Design and Development process per the MDSAP audit
sequence. Information the audit team has learned about device and quality management system
nonconformities during audit of the Measurement, Analysis and Improvement process, as well as
higher risk elements and essential design outputs from the design projects reviewed during audit
of the Design and Development process, should be used to make decisions as to the production
processes to be reviewed during the audit of the Production and Service Controls process.
Auditing the Production and Service Controls Process
Purpose: The purpose of auditing the production and service controls process (including testing,
infrastructure, facilities, equipment, and servicing) is to verify that the organization’s processes are
capable of ensuring that products will meet specifications.
Outcomes: As a result of the audit of the Production and Service Controls process, objective
evidence will show whether the organization has:
A) Defined, documented and implemented procedures to ensure production and service processes
are planned, developed, conducted, controlled, and monitored to ensure conformity to specified
requirements
B) Developed production and service process controls commensurate with the potential effect of the
process on product risk

Companion Document 59
C) Ensured that when the results of a process cannot be verified by subsequent monitoring or
measurement, the process is validated with a high degree of assurance that the process will
consistently achieve the planned result
D) Implemented procedures for the validation of the application of computer software for production
and service processes that affect the ability of the product to conform to specified requirements,
including validation of computer software used in the quality management system
E) Maintained records for each batch of medical devices that provides information for traceability and
confirmation that the batch meets specified requirements
F) Implemented controls to protect customer property, including intellectual property, confidential
health information, and other forms of customer property that is used or incorporated into
products

Links to Other Processes: Management; Design and Development; Measurement,

Analysis and Improvement; Purchasing

Audit Tasks and Links to Other Processes:

1. Verify that the product realization processes are planned, including any necessary
controls, controlled conditions, and risk management activities required for the product
to meet the specified or intended uses and the statutory and regulatory requirements
related to the product. Confirm that the planning of product realization is consistent
with the requirements of the other processes of the quality management system and
performed in consideration of the quality objectives.
Clause and regulation: [ISO 13485:2003: 7.1, 7.2.1, 7.5.1.1; TG(MD)R Sch 1 P1 2, Sch3 P1 Cl1.4(4), Sch3 P1
Cl1.4(5)(d)&(e); RDC ANVISA 16/2013: 2.2.1, 2.4, 4.1.2, 4.1.7, 5.1; 21 CFR 820.30(b), 820.20(a), 820.30(h),
820.70(a)]

Additional country-specific requirements: None

Assessing conformity:

Planning
In planning product realization, the organization must determine as appropriate the quality
objectives and requirements for the product, the processes, documents, and resources specific
to the product, the criteria for product acceptance, and the required verification, monitoring,
inspection, and test activities specific to the product. Planning of product realization often
begins in the design and development of the product, including the translation of the design into
production specifications.
The planning of product realization should be consistent with the risk control and mitigation
strategies identified by the organization during risk management activities.
During the audit, be mindful of requirements for the product that relate to statutory and regulatory
requirements, requirements necessary for the product to meet specified or intended uses, and
requirements for safe and efficacious use of the product. The organization must ensure their
processes, and the monitoring of processes, inspection, and test activities are planned and
developed to ensure these requirements are met.

60 Companion Document
 Quality objectives
Quality objectives are typically expressed as a measurable target or goal. The planning of product
realization should include consideration of how the production processes, the criteria for product
acceptance, and the required verification, validation, monitoring, inspection, and test activities
specific to the product will achieve the quality objectives. Confirm that the organization has
defined quality objectives for the device.

Link: Management
Confirm when necessary that the quality objectives related to the product were considered for
inclusion in management review.

2. Review production processes considering the following criteria. Select one or more
production processes to audit.
Reminder: Information the audit team has learned about device and quality management system
nonconformities during audit of the Measurement, Analysis and Improvement process, as well as
higher risk elements and essential design outputs from the design projects reviewed during audit
of the Design and Development process should be used to make decisions as to the production
processes to be reviewed.
Priority criteria for selection:
• Corrective and preventive action indicators of process problems or potential problems
• Use of the production process for higher risk products
• Use of production processes that directly impact the ability of the device to meet its essential
design outputs
• New production processes or new technologies
• Use of the process in manufacturing multiple products
• Processes that operate over multiple shifts
• Processes not covered during previous audits
3. For each selected process, determine if the production and service process is planned
and conducted under controlled conditions that include the following:
• the availability of information describing product characteristics
• the availability of documented procedures, requirements, work instructions, and reference
materials, reference measurements, and criteria for workmanship
• the use of suitable equipment
• the availability and use of monitoring and measuring devices
• the implementation of monitoring and measurement of process parameters and product
characteristics during production
• the implementation of release, delivery and post-delivery activities

Companion Document 61
 • the implementation of defined operations for labeling and packaging
• the establishment of documented requirements for changes to methods and processes
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.1.1, 8.2.3, 8.2.4; TG(MD)R Sch3 P1 Cl1.4(5)(d)&(e); RDC
ANVISA 16/2013: 3.1.3, 4.2, 5.1, 5.2, 5.3, 5.4, 5.6; 5.6.1; 5.6.2; 21 CFR 820.70(a), 820.70(b), 820.75, 820.120,
820.130]

Additional country-specific requirements:

Brazil (ANVISA):

Determine whether the manufacturer has established and maintained a procedure for change control in
order to track changes in auxiliary systems, software, equipment, processes, methods or other changes
that may affect the quality of products, including risk assessment within the risk management process. The
procedure must describe the actions to be taken, including, when appropriate, the need for re-qualification or
re-validation. Verify that changes are formally requested, documented and approved before implementation
[RDC ANVISA 16/2013: 5.6; 5.6.1; 5.6.2].

Assessing conformity:

Establishment of work instructions, procedures, and production processes

Production processes that may cause a deviation to a device specification and all validated
processes must be controlled and monitored. The planning of production includes the
establishment of procedures and work instructions for the control and monitoring of the
production processes, including service controls when necessary. Control and monitoring
procedures may include in-process and finished device acceptance activities as well as
environmental and contamination control measures. The establishment of procedures and work
instructions to control the production of the device should provide the controls and tolerances
necessary to ensure finished devices conform to product specifications.
4. Determine if the organization has established documented requirements for product
cleanliness including any cleaning prior to sterilization, cleanliness requirements if provided
non-sterile, and assuring that process agents are removed from the product if required.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.1.2.1; TG(MD)R Sch3 P1 Cl1.4(5)(d); RDC ANVISA 16/2013:
5.1.3.1, 5.1.3.4, 5.1.5.3; 21 CFR 820.70(c), 820.70(d), 820.70(e), 820.70(h)

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that a pest control program has been established and where chemicals are used as part of the pest control
program, the company must ensure that they do not affect product quality [RDC ANVISA 16/2013: 5.1.3.4].

Verify that the manufacturer has established and maintains housekeeping procedures and schedules for production
areas and warehouses, in conformance with production specifications [RDC ANVISA 16/2013: 5.1.3.1].

Assessing conformity:

Cleanliness requirements
The goal of establishing requirements for product cleanliness is to minimize contamination of the
finished device and the manufacturing environment. Sterile devices may require a higher level of
control in terms of minimizing the bioburden and particulate contamination in order to assure the
desired sterility assurance level is met. Each organization must evaluate the extent of cleanliness
required for the proper functioning and intended use of the finished device and implement the

62 Companion Document
 necessary control measures. Examples of control measures include, but are not limited to,
cleaning procedures, environmental controls (e.g. cleanrooms, or other controlled environments),
requirements for attire, and training of personnel. When necessary, confirm the organization has
identified the cleanliness requirements for the finished device and the proper controls to achieve
the required level of cleanliness.
Process agents
Process agents, also known as manufacturing materials, are generally defined as materials or
substances used to facilitate the manufacturing process, which are present in or on the finished
devices as a residue or impurity. Examples of process agents include cleaning agents, mold-
release agents, lubricating oils, latex proteins, sterilant residues, etc. The organization must
evaluate process agents used during the manufacturing process when the process agent could
potentially have an adverse effect on the product. During the design of the product and the
development of the manufacturing process, the potential effect of process agents should be
considered. If the audit team encounters situations where process agents are being utilized in
the manufacturing of the product, and the process agent could potentially have an adverse effect
on the product, confirm that the organization has made effective arrangements to control the
process agent in a manner commensurate with the risk the agent poses to the finished device.
For example, the organization may need to validate a cleaning process to ensure cutting oil is
removed from an orthopedic implant prior to packaging and sterilization.
5. Verify that the organization has determined and documented the infrastructure
requirements to achieve product conformity, including buildings, workspace,
process equipment, and supporting services. Confirm that buildings, workspaces,
and supporting services allow product to meet requirements. Verify that there are
documented and implemented requirements for maintenance of process equipment
where important for product quality, and that records of maintenance are maintained.
Clause and regulation: [ISO 13485:2003: 4.2.1, 6.3; RDC ANVISA 16/2013: 5.1.2, 5.1.5; CMDR 14; 21 CFR
820.70(g), 820.70(f)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that manufacturing facilities are configured in order to provide adequate means for production, avoid
mix-ups or contamination of components, raw materials, in process products and finished devices; and to
ensure the correct handling of the devices and production flow [RDC ANVISA 16/2013: 5.1.2].

Assessing conformity:

Infrastructure requirements
The organization is responsible for evaluating the manufacturing facility to ensure that the
buildings, utilities, and space allow for the achievement of product conformity. The organization
is responsible for ensuring adequate space to prevent mix-ups and ensure orderly handling of
products.
Equipment maintenance
The organization must consider whether maintenance of production equipment may affect
product quality. Procedures, including the frequency of maintenance and the records of
maintenance must be available for these items of equipment.

Companion Document 63
6. Verify documented requirements have been established, implemented and maintained for:
• health, cleanliness, and clothing of personnel that could have an adverse effect on
product quality
• monitoring and controlling work environment conditions that can have an adverse
effect on product quality
• training or supervision of personnel who are required to work under special
environmental conditions
• controlling contaminated or potentially contaminated product (including returned
products) in order to prevent contamination of other product, the work environment,
or personnel
Clause and regulation: [ISO 13485:2003: 4.2.1, 6.4; TG(MD)R Sch1 P2 7.2, 8; RDC ANVISA 16/2013: 5.1.3; 21 CFR
820.70(c), 820.70(d), 820.70(e)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that biosafety standards are used, when applicable [RDC ANVISA 16/2013: 5.1.3.6].

Assessing conformity:

Contamination control
The organization is responsible for establishing and maintaining procedures to prevent
contamination of products, equipment, and personnel by substances that could adversely affect
the device. If contamination control measures are necessary to meet specified requirements,
cleaning and sanitation procedures and schedules may be required to ensure the contamination
control measures are properly functioning. The organization should consider the segregation and
decontamination of returned product.
Personnel practices
Personnel practices must address personnel health, cleanliness, and attire if these could adversely
affect product quality or the work environment. In the event that maintenance or other personnel
are required to work temporarily under special environmental conditions, these individuals must be
appropriately trained or supervised by a trained individual.
7. Determine if the selected process(es) and sub-process(es) have been reviewed, including
any outsourced processes, to determine if validation of these processes is required.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.2.1; TG(MD)R Sch1 P2 8.2, 8.3; Sch3 P1 1.4(5)(d), RDC ANVISA
16/2013: 5.5.2, 5.5.3; 21 CFR 820.75(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that analytical methods, utilities, computer systems and automated software that can adversely affect
product quality or the quality system are validated, periodically reviewed and, when necessary, revalidated
[RDC ANVISA 16/2013: 5.5.2, 5.5.3].

64 Companion Document
 Canada (HC):

Verify that sterilization methods for devices sold in a sterile state are validated [CMDR 17].

United States (FDA):

Process validation is required for sterilization, aseptic processing, injection molding, and welding [21 CFR
820.75; preamble comment 143].

Assessing conformity:

Process validation
During the planning of product realization, the organization must determine which production
processes require validation and which processes can be verified. Process validation may apply
to processes that generate components, subassemblies, or finished devices. Process validation
is required for processes where the results of the process cannot be fully verified. Processes
that cannot be fully verified include processes where clinical or destructive testing is necessary to
show that the process produced the desired result, where routine inspection and/or testing does
not examine quality attributes essential to the proper functioning of the finished device, or where
routine testing has insufficient sensitivity to verify the desired safety and efficacy of the finished
product.
Examples of processes that require validation include, but are not limited to sterilization, aseptic
processing, welding, and injection molding. When applicable, confirm that the organization has
identified processes which require validation, including validation requirements for any outsourced
processes.
When validating processes, organizations must take into account the current thinking of experts
where published information is available (e.g. though the application of ISO standards for
sterilization validation).

Link: Purchasing
The audit team may encounter situations where the organization outsources processes
that require validation. During the review of the Purchasing process, review the controls the
organization has instituted over suppliers that perform validated processes. This can be
particularly important for higher risk validated processes performed by suppliers, since the finished
device manufacturer does not have immediate control over those processes.

8. Verify that the selected process(es) has been validated if the result of the process
cannot be fully verified. Confirm that the validation demonstrates the ability of the
process(es) to consistently achieve the planned result. In the event changes have
occurred to a previously validated process, confirm that the process was reviewed and
evaluated, and re-validation was performed where appropriate.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.2.1; TG(MD)R Sch1 P1 2(1), Sch3 P1 1.4(5)(d); RDC ANVISA
16/2013: 1.2.18, 5.5.1; 21 CFR 820.75(a), 820.75(c)]

Additional country-specific requirements:

Australia (TGA):

Confirm that methods of validation have regard to the generally acknowledged state of the art (e.g. current Medical
Device Standard Orders - MDSO, ISO/IEC Standards, BP, EP, USP etc.) [TG Act s41CB, TG(MD)R Sch 1 P1 2(1)].

Companion Document 65
 Brazil (ANVISA):

Verify that processes requiring validation are validated according to previously established protocols. The
results of validations, including date and identification of the person responsible for its approval, must be
recorded [RDC ANVISA 16/2013: 5.5.1].

United States (FDA):

Confirm that the validation activities and results, including the date and signature of the individual approving
the validation and where appropriate the major equipment validated, have been documented [21 CFR
820.75(a)].

Assessing conformity:

Process validation
Process validation means establishing by objective evidence (i.e. data) that a process
consistently produces a result (e.g., sterility assurance level) or product meeting predetermined
specifications. Remember that the term “product” applies to components and in-process
devices as well as finished devices. Therefore, process validation may apply to processes that
generate components, in-process devices, or finished devices.
Process validation procedures
Some organizations have general process validation procedures. Other organizations establish
separate procedures for each individual process validation study. Both methods for establishing
process validation procedures are acceptable.
Reviewing a validation
During review of a validation study, determine when applicable whether:
1) The instruments used to generate the data were properly calibrated and maintained;
2) Predetermined product and process specifications were established;
3) Sampling plans used to collect test samples are based on a statistically valid rationale;
4) Data demonstrates predetermined specifications were met consistently;
5) Process tolerance limits were challenged;
6) Process equipment was properly installed, adjusted, and maintained;
7) Process monitoring instruments were properly calibrated and maintained;
8) Changes to the validated process were appropriately challenged (if applicable); and
9) Process operators were appropriately qualified.
Achieving the planned result
Process validation activities are predictive, rather than empiric. In order for a process validation
study to show the process achieves the planned result, the acceptance criteria must be stated in
advance of performing the validation. The data from the process validation study must show the
predetermined acceptance criteria have been met.

66 Companion Document
 Evidence of nonconformities
Process validation studies may also provide valuable insight into process or product
nonconformities. For example, the process validation study must demonstrate not only that the
process can produce a result or product meeting predetermined specifications but also that the
process will consistently produce a result or product meeting predetermined specifications. If
process or product nonconformities related to a validated process are encountered at a higher
than anticipated rate, it may indicate the process validation study did not confirm that the process
could consistently produce a result or product meeting predetermined specifications. Unless the
organization recognized this during the process validation study, they may not have investigated
the cause of the process inconsistency.
9. If product is supplied sterile:
• Verify the sterilization process is validated, periodically re-validated, and records of
the validation are available
• Verify that devices sold in a sterile state are manufactured and sterilized under
appropriately controlled conditions
• Determine if the sterilization process and results are documented and traceable to
each batch of product
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.1.3, 7.5.2.2; TG(MD)R Sch1 2(1) & 8.3, Sch3 P1 1.4(5)(d); RDC
ANVISA 16/2013: 5.1.6, 5.5; CMDR 17; 21 CFR 820.75, 820.184(d)]

Additional country-specific requirements:

Australia (TGA):

Verify that methods of sterilization validation have regard to the generally acknowledged state of the art (e.g.
current Australian Medical Device Standard Orders - MDSO, ISO 11135, ISO 11137) [TG(MD)R Sch1 P1 2(1)].

Assessing conformity:

Validation of sterilization processes

Sterilization processes include terminal sterilization methods (such as radiation and ethylene oxide)
as well as aseptic processing methods. Sterilization processes must be validated, with periodic
revalidation as required by established standards or requirements established by the organization.
10.Verify that the system for monitoring and measuring of product characteristics is capable
of demonstrating the conformity of products to specified requirements. Confirm that product
risk is considered in the type and extent of product monitoring activities.
Clause and regulation: [ISO 13485:2003: 7.1, 7.5.1.1, 8.1; 8.2.4; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(5)(b)&(e); RDC
ANVISA 16/2013: 2.4, 5.1.1, 9.1; 21 CFR 820.70(a), 820.250(a)]

Additional country-specific requirements: None

Assessing conformity:

Monitoring systems
The general goal of monitoring processes and product characteristics during production is to
ensure that products conform to the specified requirements defined and approved during the

Companion Document 67
 design and development of the device. The organization has the flexibility to determine the controls
that are necessary, commensurate with the risk to the finished device if processes or product
characteristics do not meet specified requirements. During the audit of production processes,
confirm that the control measures are suitable for detecting process or product nonconformities.
11.Verify that the processes used in production and service are appropriately controlled,
monitored, and operated within specified limits. In addition, verify that risk control measures
identified by the manufacturer for production processes are implemented, monitored and evaluated.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.5.1.1, 8.1, 8.2.3; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(5)(b)&(e);
RDC ANVISA 16/2013: 2.4, 5.1.1, 5.1.6, 8.2, 9.1; 21 CFR 820.70(a), 820.75(b), 820.250]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that processes which cannot be fully verified are conducted in accordance with established procedures
and parameters to ensure conformance to specifications. Critical parameters should be monitored and
recorded in the batch record [RDC ANVISA 16/2013: 5.1.6].

United States (FDA):

Verify that the manufacturer has established and maintains procedures for identifying valid statistical
techniques required for establishing, controlling and verifying the acceptability of process capability and
product characteristics, where appropriate [21 CFR 820.250(a)].

Assessing conformity:

Process control and monitoring

Processes that may cause a deviation to device specifications and validated processes must be
controlled and monitored. Control and monitoring procedures may include in-process and finished
device acceptance activities as well as environmental and contamination control measures.
Compare the process monitoring and acceptance procedures contained or referenced within the
records of production specifications with those available to the production personnel. Confirm that
the procedures available to the production personnel are the most current approved revisions.
While in the production area, verify that the building is of suitable design and contains sufficient
space to perform necessary operations. Also, verify that the results of control and monitoring
activities demonstrate that the process is currently operating in accordance with applicable
procedures. This can be done by comparing work instructions with what is actually being done,
comparing product acceptance criteria with acceptance activity results, reviewing control charts
against specified requirements, etc.

Link: Design and Development

The design outputs for a device include documents such as diagrams, drawings, specifications,
procedures, and the production processes that are essential to the proper manufacturing of
the device. Production processes can include not only the manufacturing instructions, but also
internal controls, such as the type and extent of acceptance activities, equipment calibration and
maintenance intervals, environmental controls, and personnel controls. During the audit of the
Production and Service Controls process, consider reviewing production processes that have the
highest risk or greatest effect on the essential design outputs.

68 Companion Document
12.Verify that personnel are competent to implement and maintain the processes in
accordance with the requirements identified by the organization.
Clause and regulation: [ISO 13485:2003: 6.2.2; RDC ANVISA 16/2013: 2.3.2; 21 CFR 820.25, 820.70(d), 820.75(b)]

Additional country-specific requirements: None

Assessing conformity:

Personnel training and qualification

Production processes must be performed by adequately trained personnel. The organization must
establish procedures for identifying training needs and ensure that all personnel are trained to
adequately perform their assigned responsibilities. This training must be documented. In addition,
personnel who perform validated processes must be qualified. It is management’s responsibility to
determine what qualifications are necessary for personnel who perform validated processes.

Link: Management
During the audit of the Production and Service Controls process, ensure that employees who
are involved in key operations that affect product realization and product quality have been
trained in their specific job tasks, as well as the quality policy and objectives. When appropriate,
review the training records for those employees whose activities have contributed to process
nonconformities.

13.Confirm that the organization has determined the monitoring and measuring devices
needed to provide evidence of conformity to specified requirements. Verify that the
monitoring and measuring equipment used in production and service control has been
identified, adjusted, calibrated and maintained, and capable of producing valid results.
Clause and regulation: [ISO 13485:2003: 7.5.1.1, 7.6; TG(MD)R Sch3 P1 1.4(5)(e); RDC ANVISA 16/2013: 5.1.5,
5.4; 21 CFR 820.70(g), 820.72]

Additional country-specific requirements: None

Assessing conformity:

Maintenance and calibration

While reviewing the selected production process, make note of significant pieces of process
equipment and significant pieces of measuring or test equipment. Consider selecting process
and test equipment that, if not properly controlled, could cause devices to not meet specified
requirements; or produce inaccurate results that could lead to unrecognized nonconformities.
Confirm that the production and test equipment selected for review is suitable for its intended
purpose and capable of giving valid results.
Review the maintenance, control, and calibration procedures (and records) for the equipment
selected for review. The initial frequency with which measuring and test equipment is calibrated
and maintained is usually based on the equipment manufacturer’s recommendations. As the
organization gains experience with the piece of equipment, the frequency of calibration and
maintenance may be adjusted, based on a documented rationale.

Companion Document 69
 Accuracy and precision
When accuracy and precision is a factor in the validity of the result of the measuring equipment,
the required accuracy and precision should be defined during the planning of product realization
to ensure the equipment is suitable and capable of providing valid results.
Reviewing records
If production equipment or test equipment is found to be outside of its maintenance or calibration
requirements, verify that the organization made an assessment of the effect of the out-of­
tolerance situation on in-process, finished, or released devices, based on risk. Equipment
adjustment, calibration, and maintenance procedures and records may provide insight into
nonconformities. Review these procedures and records to determine whether inadequate
procedures or the organization’s failure to comply with adequate procedures contributed to the
nonconformity. For example, determine whether the lack of specified equipment adjustment or
maintenance contributed to the production of nonconforming product.
14.Confirm that the organization assesses (and records) the validity of previous
measurements when equipment is found not to conform to specified requirements,
and takes appropriate action on the equipment and any product affected. Verify
that the control of the monitoring and measuring devices is adequate to ensure valid
results. Confirm that monitoring and measuring devices are protected from damage or
deterioration.
Clause and regulation: [ISO 13485:2003: 7.6; TG(MD)R Sch3 P1 1.4(5)(e); RDC ANVISA 16/2013: 5.4; 21 CFR
820.72(a)]

Additional country-specific requirements: None

Assessing conformity:

Control of monitoring and measuring devices

Organizations must maintain proper calibration, storage, and handling controls for measuring,
monitoring, and test equipment used in the development, production, installation, and servicing
of product. Calibration must be traceable to a national or international measurement standard if
one is available. If calibration services are provided by a supplier, the supplier controls are to be
applied to ensure calibration is performed competently. Proper controls will help instill confidence
in results obtained from the use of the equipment.
Procedures
Organizations must define, implement, and maintain procedures for the control of monitoring
and measuring devices. The organization may choose to develop general policies for the
control of monitoring and measuring devices, along with separate, more specific procedures
for the actual calibration and control of each piece of equipment. Procedures must account
for any environmental controls necessary for the equipment to produce valid results, as well as
any specific storage or handling requirements when necessary. For example, a set of calibrated
calipers may require storage in a padded case to maintain the required accuracy and precision.
Confirm that the organization has the proper procedures and controls in place to preserve the
proper functioning of monitoring, measuring, and test equipment.

70 Companion Document
 When equipment is found to be out-of-tolerance
The organization may discover that monitoring or measuring equipment is no longer within its
adjustment or calibration tolerance. In these situations, the organization must assess and record
the validity of previous measuring results and take appropriate action on the equipment and any
product affected.
15.If the selected process is software controlled or if software is used in production
equipment or the quality management system, verify that the software is validated for its
intended use. Software validation may be part of equipment qualification.
Clause and regulation: [ISO 13485:2003: 7.5.2.1, 7.6; RDC ANVISA 16/2013: 5.5.2; 21 CFR 820.70(i)]

Additional country-specific requirements: None

Assessing conformity:

Validation of production and quality system software

Production process control software (and any other software used in the organization’s quality
system) must be validated for its intended use according to an established protocol. If the production
process the audit team selected for review is controlled with software, review the software validation
documents and records. Software validation documents and records should include:
a) A software requirements document describing the intended use(s) and user needs associated
with the software.
b) An established validation protocol or similar document describing the activities necessary to
demonstrate that the software requirements can be met.
c) Records of the results of the software validation activities described in the software validation
protocol or similar document.
d) Records that software changes are appropriately controlled (where applicable).
For off-the-shelf quality management system software and software-controlled production or test
equipment, it may not be possible, practical, or necessary for the device manufacturer to review
the software code or the various software verification test cases that are typically performed by
the software or equipment manufacturer. However, the device manufacturer must still ensure the
software is capable of functioning according to the device manufacturer’s needs. The validation
to confirm the software meets the device manufacturer’s needs must be performed according to a
protocol or similar document with predetermined acceptance criteria.
If multiple software driven systems are used in the production process, be sure to assess
the system(s) most likely to have an impact on the finished device’s ability to meet specified
requirements. Not all software driven systems used in a production process will need to be
audited during each audit.
16.Determine if the manufacturer has established and maintained a file for each type
of device that includes or refers to the location of device specifications, production
process specifications, quality assurance procedures, traceability requirements, and
packaging and labeling specifications. Confirm that the manufacturer determined the extent
of traceability based on the risk posed by the device in the event the device does not meet specified
requirements.

Companion Document 71
 Clause and regulation: [ISO 13485:2003: 4.2.1; 4.2.4; 7.1; 7.5.3.2.1; TG(MD)R Sch3 P1 1.4(5) (c),(d),(e) & 1.9; RDC
ANVISA 16/2013: 1.2.26, 2.4, 4.2, 5.2, 6.4; CMDR 9(2), 21-23, 52-56, 66-68; 21 CFR 820.65, 820.181]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has established and maintains procedures to ensure integrity and to prevent
accidental mixing of labels, instructions, and packaging materials [RDC ANVISA 16/2013: 5.2.2.1].

Confirm that the manufacturer has ensured that labels are designed, printed and, where applicable, applied
so that they remain legible and attached to the product during processing, storage, handling and use [RDC
ANVISA 16/2013: 5.2.2.2].

Canada (HC):

Verify that the manufacturer maintains objective evidence that devices meet the safety and effectiveness
requirements of the CMDR [CMDR 9(2)].

Verify that devices sold in Canada have labeling that conforms to Canadian English and French language requirements
and contains the manufacturer’s name and address, device identifier, control number (for Class III and IV devices),
contents of packaging, sterility, expiry, intended use, directions for use and any special storage conditions [CMDR 21-23].

Verify that the manufacturer maintains distribution records in respect of a device that will permit a complete
and rapid withdrawal of the device from the market [CMDR 52-56].

United States (FDA):

If a control number is required for traceability, confirm that such control number is on or accompanies the
device throughout distribution [21 CFR 820.120(e)].

Assessing conformity:

Records
The required records for each type or model of device include documents such as diagrams,
drawings, specifications, and procedures associated with the device, its packaging and labeling;
as well as, quality management system and production process requirements; and if applicable,
installation and servicing requirements. Documents and records associated with production processes
can include not only the manufacturing instructions, but also internal controls, such as the type and
extent of acceptance activities, equipment calibration and maintenance intervals, environmental
controls, and personnel controls. These documents and records provide the requirements and
instructions for the proper manufacturing, labeling, packaging, and testing of the device to assure
specified requirements are met during the production of each batch of devices. For the device(s) the
audit team has selected to review, confirm that the required records have been established.
General traceability
It is the responsibility of the organization to establish procedures for traceability. For devices that
are not implanted and are not life-supporting or life-sustaining, the organization has the flexibility to
determine which raw materials and components are required to be traceable, commensurate with
the risk posed by the device in the event the component does not meet specified requirements.
Traceability systems commonly include elements such as written procedures describing the control
numbering system to be used, as well as the documentation of lot numbers, control numbers, or
serial numbers identifying the batch of components, subassemblies, finished devices, packaging,
and labeling in order to aid their identification in the manufacturing process.

72 Companion Document
 Link: Design and Development
During the design and development of the device, the essential design outputs for the proper
functioning of the device should have been identified. Raw materials, components, and
subassemblies should have been considered for traceability if their nonconformity could result in
the finished device not meeting its specified requirements and essential functions.

17.Determine if the manufacturer has established and maintained a record of the amount
manufactured and approved for distribution for each batch of medical devices, the
record is verified and approved, and the device is manufactured according to the file
referenced in task 16.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.1.1; 8.2.4.1; RDC ANVISA 16/2013: 3.2, 5.2, 6.4; 21 CFR 820.184]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the device history record of the product includes or refers to the following information: date of
manufacture; components used; quantity manufactured; results of inspections and tests; parameters of
special processes; quantity released for distribution; labeling; identification of the serial number or batch of
production; and final release of the product [RDC ANVISA 16/2013: 3.2.1].

Verify that labeling has not been released for storage or use until a designated individual has examined the
labeling for accuracy. The approval, including the date, name, and physical or electronic signature of the
person responsible, must be documented in the device history record [RDC ANVISA 16/2013: 5.2.2.3].

United States (FDA):

Verify that labeling is not released for storage or use until a designated individual has examined the labeling
for accuracy. The release, including the date and signature of the individual performing the examination must
be documented in the device history record (i.e. batch record) [21 CFR 820.120(b)].

Confirm that labeling is stored in a manner that provides proper identification and prevents mix-ups. Verify
labeling and packaging operations are controlled to prevent labeling mix-ups [21 CFR 820.120(c) and (d)].

Verify that the label and labeling used for each production unit, lot, or batch are documented in the batch
record, as well as any control numbers used [21 CFR 820.120(e), 820.184(e)].

Assessing conformity:

Verify manufacturing of the device

Verify that each batch of devices was manufactured in accordance with product and production
specifications, being mindful that in some instances, a batch can be a single device. This
verification should include a review of the purchasing controls and receiving acceptance activities
applied to at least one significant component or raw material, in-process and final finished device
acceptance activities and results, environmental and contamination control records (if applicable),
and sampling plans for process and environmental controls and monitoring.
The record for each batch of devices must include, or refer to the location of, the following
information:
(a) The dates of manufacture;
(b) The quantity manufactured;
(c) The quantity released for distribution;

Companion Document 73
 (d) The acceptance records which demonstrate the device has been manufactured in accordance
with the planned arrangements and defined product specifications;
(e) The primary identification label and labeling used for each production unit;
(f) Any device identification(s) and control number(s) used; and
(g) A provision to indicate that the record has been verified and approved.
Determine if there are problems
If, during the accomplishment of this audit task, the audit team observes evidence that the
process is outside the organization’s acceptance range for operating parameters or that product
nonconformities exist, confirm that the nonconformities were handled appropriately, with input into
the Measurement, Analysis and Improvement process when appropriate.
18.If the organization manufactures active or nonactive implantable medical devices, life-
supporting or life-sustaining devices, confirm that the manufacturer maintains traceability
records of all components, materials, and work environment conditions (if these could
cause the medical device to not satisfy its specified requirements) in addition to records
of the identity of personnel performing any inspection or testing of these devices.
Confirm that the organization requires that agents or distributors of these devices
maintain distribution records and makes them available for inspection. Verify that the
organization records the name and address of shipping consignees for these devices.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.3.2.2, 8.2.4.2; 21 CFR 820.65]

Additional country-specific requirements:

Canada (HC):

Verify that the manufacturer has identified Schedule 2 implants and provides implant registration cards with
devices or employs another suitable system approved by Health Canada [CMDR 66-68].

Verify that the manufacturer of devices that are listed on Schedule 2 of the Medical Devices Regulations
maintains distribution records of these devices as well as any information received on implant registration
cards related to these Schedule 2 devices [CMDR 54].

United States (FDA):

Verify that the manufacturer has implemented a tracking system for devices for which the manufacturer has
received a tracking order from FDA. The tracking system must ensure the manufacturer is able to track the
device to the end-user. The manufacturer must conduct periodic audits of the tracking system [21 CFR 821].

Assessing conformity:

Traceability of implantable, life-supporting or life-sustaining devices

Manufacturers of finished devices whose failure could result in serious injury or harm to the
user must implement a traceability system. The traceability system must allow for each batch
of finished devices to be traced by a control number or similar mechanism throughout the
distribution chain. Organizations must also provide for the control and traceability of components
and materials used in the manufacture of the device, as well as documentation of the
manufacturing conditions when manufacturing conditions could cause the finished device to not
meet specified requirements (e.g. cleanroom conditions).

74 Companion Document
 The determination of which components and raw materials may be required to be traceable
may be made by the organization using risk management tools, such as risk analysis, or by
identification of the components and processes used to fulfill the essential design outputs.
Tracking
Some regulatory authorities participating in the MDSAP have requirements for tracking certain
types of devices to the end-user. For regulatory authorities that have tracking requirements, these
requirements generally apply to a small subset of devices that are life-sustaining or life supporting,
intended for implant longer than one year, or are considered by the regulatory authority to be
high risk. If the organization manufactures or distributes a device that falls under a tracking
requirement, confirm that the organization has the necessary systems in place to provide for
tracking each device to the end-user. The organization’s tracking system must be periodically
reviewed and audited by the organization to confirm that the tracking system is effective.
19.Verify that product status identification is adequate to ensure that only product which
has passed the required inspections and tests is dispatched, used, or installed.
Clause and regulation: [ISO 13485:2003: 7.5.3.3; RDC ANVISA 16/2013: 6.1.2, 6.4; 21 CFR 820.86]

Additional country-specific requirements: None

Assessing conformity:

Identification
Identification is generally defined as the description of the product that distinguishes it from other
product. Organizations must define, document, and implement processes for the identification
and control of product, including components, process agents, subassemblies, finished
devices, packaging, and labeling. This can be accomplished through the use of part numbers,
lot numbers, batch numbers, work order numbers, quantities, supplier name, as well as other
means. The extent of identification activities should be based on the complexity and risk of the
product.
20.Verify that the organization has implemented controls to identify, verify, protect, and
safeguard customer property provided for use or incorporation into the product. Verify
that the organization treats patient information and confidential health information as
customer property.
Clause and regulation: [ISO 13485:2003: 7.5.4]

Additional country-specific requirements: None

Assessing conformity:

Safeguarding customer property

The organization is responsible for safeguarding customer property while it is under the
organization’s control. If any customer property is lost, damaged, or otherwise unsuitable for use,
this must be reported to the customer and records maintained.

Companion Document 75
21.Verify that acceptance activities assure conformity with specifications and are
documented. Confirm that the extent of acceptance activities is commensurate with the risk posed by
the device.
Note: Acceptance activities apply to any incoming component, subassembly, or service,
regardless of the manufacturer’s financial or business arrangement with the supplier.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.4.3, 8.2.4.1, 8.2.4.2; TG(MD)R Sch1 P1 2, Sch3 P1 Cl1.4(5)(d);
RDC ANVISA 16/2013: 5.3.1, 5.3.2, 5.3.3, 5.3.4, 9.2; 21 CFR 820.80, 820.250(b)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that sampling plans are defined and based on valid statistical rationale. Each manufacturer must
establish and maintain procedures to ensure that sampling methods are suitable for their intended use and
are reviewed regularly. A review of sampling plans should consider the occurrence of nonconforming product,
quality audit reports, complaints and other indicators [RDC ANVISA 16/2013: 9.2].

United States (FDA):

Verify that the manufacturer establishes and maintains procedures to ensure that sampling methods are
adequate for their intended use and ensure that when changes occur, the sampling plans are reviewed [21
CFR 820.250(b)].

Assessing conformity:

Recognized acceptance activities

Organizations are expected to define, document, and implement systems and procedures for
acceptance activities to verify that products, including finished devices, in-process devices,
components, packaging, and labeling conform to specified requirements. Recognized acceptance
activities include, but are not limited to, inspections, tests, review of certificates of analysis, and supplier
audits. Effective acceptance procedures and systems directly affect the ability of an organization to
demonstrate that the process and product meets specifications. During the audit of acceptance
activities for the devices selected for audit, confirm that the organization has defined processes for
receiving, in-process, and final acceptance activities. Determine if the acceptance activities have
been implemented. One way to accomplish this audit task is to review a sample of batch records and
confirm that the acceptance activities have been documented and that the acceptance activities show
specified requirements have been met. Records should identify who conducted acceptance activities.
The acceptance status of incoming, in-process, and finished devices must be identified. The
identification of acceptance status must be maintained throughout manufacturing, packaging,
labeling, and where applicable, installation and servicing to ensure that only product which has
passed the required acceptance activities is distributed, used, or installed.
Acceptance activities involving related firms
The audit team may encounter situations where the organization receives incoming product from
a financial or corporate affiliate. It is the receiving organization’s responsibility to perform and
record the necessary acceptance activities to ensure the received product conforms to specified
requirements, as well as applying the necessary purchasing controls to the supplier. Acceptance
activities and purchasing controls apply to all product received from outside of the finished
manufacturer, whether a payment occurs or not, and regardless of the corporate or financial
relationship of the supplier to the finished device manufacturer.

76 Companion Document
 Sampling
The audit team may encounter the use of sampling during acceptance activities. For example,
an organization might choose to use sampling to perform receiving acceptance on a large lot
of incoming components. When used, sampling plans must be written and based on a valid
statistical rationale and a risk-based methodology.
Combination of controls
An important concept to remember is that quality cannot be inspected or tested into products.
Organizations must establish an appropriate mix of acceptance activities and purchasing
controls to ensure products will meet specified requirements. The type and extent of acceptance
activities can be based in part on the amount of purchasing controls applied to the supplier, the
demonstrated capability of the supplier to provide quality products, and the potential impact of
the product on the finished device, including the risk the device poses to the patient or user if
specified requirements are not met. Organizations that conduct quality control solely in-house
must still assess the capability of suppliers to provide acceptable products.
Evidence of inadequate acceptance activities
The audit team may encounter instances where product has been deemed acceptable by
the successful completion of acceptance activities but the product is later shown to not meet
specified requirements (i.e. failure of the device leading to product complaint). This can be an
indication that the acceptance activities are not sufficient to identify nonconformities. Confirm that
the organization has taken the appropriate action to determine the suitability of the acceptance
activities.

Link: Purchasing, Design and Development

The audit team should consider reviewing the purchasing controls and requirements for suppliers
of higher risk products. The audit team should also consider reviewing the purchasing controls
and requirements for suppliers of products that undergo minimal acceptance activities at the
device manufacturer, particularly if the supplied product is manufactured using a process that
requires validation. During the review of acceptance activities, if the audit team encounters
situations where records of acceptance activities for supplied product reveal products that do not
meet specified requirements, consider selecting those suppliers for review during the audit of the
organization’s Purchasing process.

The establishment of the necessary purchasing controls and required acceptance activities is
a design output. The degree of the purchasing controls necessary and extent of acceptance
activities should be based on the risk posed by the product not meeting its specified requirements
and essential design outputs.

22.Verify that the identification, control, and disposition of nonconforming products is adequate,
based on the risk the nonconformity poses to the device meeting its specified requirements.
Clause and regulation: [ISO 13485:2003: 7.5.3.1, 8.3; TG(MD)R Sch1 P1 2, Sch3 P1 Cl1.4(5)(b); RDC ANVISA
16/2013: 6.5.1, 6.5.2; 21 CFR 820.60, 820.90(a), 820.86, 820.100(a)]

Additional country-specific requirements: None

Companion Document 77
 Assessing conformity:

Procedures
The purpose of controlling nonconforming product is to prevent the unintended use and
distribution of nonconforming product, including components, processing agents, in-process
devices, and finished devices. Confirm that the organization has defined and implemented
procedures for the identification, control, segregation, evaluation, and disposition of
nonconforming product.
Handling nonconforming product
The organization can address nonconforming product by taking action to eliminate the detected
nonconformity (e.g. sorting an incoming lot of components to remove components that do not
meet specifications), authorizing its use, release, or acceptance under concession, or by taking
action to prevent its original intended use (e.g. allowing the components or devices to be used as
demonstration units at marketing conferences).
Until a disposition can be made, the organization must have a process to properly identify
nonconforming product to prevent its accidental or unauthorized use. One example is tagging
and moving the nonconforming product to a controlled enclosure away from the production area.
If nonconforming product is accepted under concession, the records of the identity of the person
authorizing the concession must be maintained.
If nonconforming product has been detected after a product has been released and put into use
the organization must consider the risks associated with the device and may need to consider an
advisory notice or recall.
Evaluation of nonconforming product
The evaluation of a nonconformity must include a determination of the need for an investigation
and notification of the persons or organizations responsible for the nonconformity, such as a
supplier. Ensure that the organization has adequately established an interface / interaction
between the processes for the identification of non-conforming product and the processes for
corrective action. These interactions should be evident in the quality manual.

Link: Measurement, Analysis and Improvement

The audit team should be mindful of any instances where the acceptance of nonconforming
product has led to finished devices not meeting specified requirements. This information can
often be found in records of acceptance activities and complaint records. During the review
of the organization’s corrective and preventive actions, the auditors may have noted instances
where nonconforming products were found to be the underlying cause of quality problems and
complaints. The audit team should consider reviewing the organization’s handling and evaluation
of nonconforming products that were determined to be the underlying cause of quality problems.
Ensure that the analysis of data regarding nonconforming product is considered as an input to the
organization’s Measurement, Analysis and Improvement process and that corrective or preventive
actions have been implemented when necessary.

78 Companion Document
23.If a product needs to be reworked, confirm that the manufacturer has made a
determination of any adverse effect of the rework upon the product. Verify that the
rework process has been performed according to an approved procedure, that the
results of the rework have been documented, and that the reworked product has been
re-verified to demonstrate conformity to requirements.
Clause and regulation: [ISO 13485:2003: 8.3; RDC ANVISA 16/2013: 6.5.3; 21 CFR 820.90(b)]

Additional country-specific requirements: None

Assessing conformity:

Reworking nonconforming product

The audit team may encounter instances where the organization has chosen to address
nonconforming product by means of reworking the component, subassembly or finished device.
The organization must have suitable approved procedures in place to address nonconforming
product destined for rework. Reworked product must be re-evaluated or re-tested to ensure it
meets its original specified requirements. Rework must be documented.
Be mindful of instances where the underlying cause of quality problems, such as complaints
that finished devices do not meet specified requirements, are traced to devices that have been
reworked. This can be an indication that the rework process was not adequate to ensure the
finished device meets specifications.
Additionally, rework of products manufactured using validated processes can be an indication that
the process cannot consistently produce product that meets specified requirements. If the audit
team notes a pattern of reworking products that are manufactured using a validated process,
consider reviewing the process validation to confirm that the organization has data to show the
process is effective, reproducible, and stable; and that the organization is operating the process
within the validated parameters.
24.Verify that procedures are established and maintained for preserving the conformity
of product and constituent parts of a product during internal processing, storage, and
transport to the intended destination. This preservation encompasses identification,
handling, packaging, storage, and protection, including those products with limited
shelf-life or requiring special storage conditions.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.3.1, 7.5.5; TG(MD)R Sch1 P1 5; RDC ANVISA 16/2013: 5.2.1,
6.1.1, 6.2.1; CMDR 14; 21 CFR 820.130, 820.140, 820.150, 820.160(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has established procedures for the packaging of products in order to protect the
product from deterioration, damage, or contamination during processing, storage, handling, and distribution
[RDC ANVISA 16/2013: 5.2.1].

United States (FDA):

Confirm that the manufacturer established and maintains procedures that describe the methods for
authorizing receipt from and dispatch to storage areas and stock rooms [21 CFR 150(b)].

Verify that the manufacturer established and maintains procedures for control and distribution of finished devices
to ensure that only those devices approved for release are distributed and that purchase orders are reviewed to
ensure ambiguities and errors are resolved before devices are released for distribution [21 CFR 820.160(a)].

Companion Document 79
 Assessing conformity:

Ensuring proper handling

The organization must have a documented system that defines product handling requirements
at all stages of manufacturing to prevent mix-ups, damage, and deterioration. This can include
specified requirements for storage and shipping to ensure the preservation of the product to its
destination. For example, an in-vitro diagnostic device may need to be stored and shipped in a
frozen state to maintain proper shelf-life of the reagents. These handling requirements should
have been considered during the planning of product realization for the device. When necessary,
confirm that the needed control measures are implemented to ensure the conformity of product to
its specified requirements.
25.Confirm that the organization performs a review of the customer’s requirements,
including the purchase order requirements, prior to the organization’s commitment to
supply a product to a customer. Verify that the organization maintains documentation
required by regulatory authorities regarding maintenance of distribution records.
Clause and regulation: [ISO 13485:2003: 4.2.1; 5.2, 7.2.2, RDC ANVISA 16/2013: 6.3; 21 CFR 820.160(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer maintains distribution records which include or make reference to: the name and
address of the consignee, the identification and quantity of products shipped, the date of dispatch, and any
numerical control used for traceability [ANVISA RDC 6.3].

Canada (HC):

Verify that the manufacturer maintains distribution records that contain sufficient information to permit
complete and rapid withdrawal of the medical device from the market [CMDR 52-53].

Verify that distribution records of a device are retained by the manufacturer in a manner that will allow for
timely retrieval, for the longer of (a) the projected useful life of the device; and (b) two years after the date the
device was shipped [CMDR 55-56].

United States (FDA):

Verify that the manufacturer maintains distribution records which include or refer to the location of the name
and address of the initial consignee, the identification and quantity of devices shipped; and any control
numbers used [21 CFR 820.160(b)].

Assessing conformity:

Distribution records
The organization must maintain distribution records which include or refer to the location of the
initial consignee, the identification and quantity of devices shipped, the date shipped, and any
control numbers used.
26.If installation activities are required, confirm that records of installation and verification
activities are maintained.
Clause and regulation: [ISO 13485:2003: 7.5.1.2.2; RDC ANVISA 16/2013: 8.1; 21 CFR 820.170]

Additional country-specific requirements: None

80 Companion Document
 Assessing conformity:

Installation activities
When a device must be installed for suitable functioning, the organization must establish
procedures and instructions to ensure proper installation. These instructions must be made
available to personnel performing the installation. Installation activities must be documented.
Determining the extent of review
In the absence of identified quality problems related to the installation of the selected device, the
audit team may choose to limit the review of the installation process to confirming the necessary
procedures are in place.
27.Determine if servicing activities are conducted and documented in accordance with
defined and implemented instructions and procedures. Confirm that service records
are used as a source of quality data in the Measurement, Analysis and Improvement
process.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.5.1.2.3, 8.4; RDC ANVISA 16/2013: 8.2; 21 CFR 820.200]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that the manufacturer has established and maintains procedures to ensure that records of servicing
activities are kept with the following information: the product serviced; the control number of the product
serviced; the date of completion of service; identification of the service provider; description of service
performed; and results of inspections and tests performed [RDC ANVISA 16/2013: 8.2.1].

Verify that the manufacturer periodically reviews the records of servicing activities. In cases where the analysis
identifies trends that pose danger or records involving death or serious injury, a corrective or preventive
action must be initiated [RDC ANVISA 16/2013: 8.2.2].

United States (FDA):

Verify that each manufacturer who receives a service report that represents an event that must be reported to
FDA as a medical device report automatically considers the report a complaint [21 CFR 820.200(c)].

Confirm that service reports are documented and include the name of the device serviced, any device
identification(s) and control number(s) used, and the date of service [21 CFR 820.200(d)].

Assessing conformity:

Procedures
When servicing is a specified requirement, the organization must define and maintain procedures,
instructions, and processes for performing and verifying that servicing activities meet specified
requirements.
Servicing process
When organizations implement servicing programs, the organization must ensure components
used for repair are acceptable for the intended use, inspection and test procedures are available,
and test equipment is properly maintained to ensure serviced devices will perform as intended
after servicing. Personnel performing service activities must have the appropriate training.

Companion Document 81
 The audit team may observe instances where nonconformities occurred and/or complaints were
received after the servicing of the device. This can be an indication that the service activity was
not properly controlled or that service personnel do not have the proper equipment, instructions,
or training to perform the required service.
Analysis of service reports
Service reports can be an important source of quality data for input into the organization’s
Measurement, Analysis and Improvement process. When necessary, confirm data regarding
service reports is analyzed for possible corrective action or preventive action. Service reports
must also be analyzed to determine if the service event represents an adverse event that is
reportable to regulatory authorities.
In some instances, product complaints may be initially recorded by the organization as a
service report. For example, a user may report to the device manufacturer that a patient blood
parameter monitoring device is not working correctly and requires service. Upon receipt of the
device from the user by the organization’s service function, the service function notes the reason
the monitoring device is not working is that an essential component within the device failed
prematurely. This service report should be considered by the organization to be a complaint and
analyzed by the manufacturer to determine if an adverse event report needs to be submitted to
regulatory authorities.

Link: Measurement, Analysis and Improvement

During the audit of the organization’s Measurement, Analysis and Improvement process, the
audit team may have already confirmed that quality data from the analysis of servicing activities is
analyzed for possible corrective or preventive action. When reviewing the organization’s service
reports, the audit team should be mindful of service reports that appear to be product complaints.
Ensure that service reports that appear to be complaints have been appropriately addressed.
In some instances, a similar quality problem for a particular device may be found in the service
reports and the complaint records. In these instances, confirm that the organization is taking
appropriate corrections and/or corrective actions considering a similar quality problem is observed
in multiple data sources.

28.When appropriate, verify that risk control and mitigation measures are applied to transport, installation
and servicing, in accordance with the organization’s risk management practices.
Clause and regulation: [ISO 13485:2003: 7.1, 7.5.1.1, 7.5.1.2.2, 7.5.1.2.3; TG(MD)R Sch1 P1 2; RDC ANVISA
16/2013: 2.4; 21 CFR 820.160(a), 820.170(a), 820.200(a)]

Additional country-specific requirements: None

Assessing conformity:

Risk control
The requirements for delivery, installation, and servicing of a particular device should have
already been evaluated and addressed by the organization during design and development and
planning for product realization. If risk control measures were identified involving the delivery,
installation, and servicing for a particular device, confirm that the necessary processes have been
implemented to ensure the risk control measures are in place. For example, an organization may
have identified that in order for a medical imaging device to give accurate images, servicing must

82 Companion Document
 be performed by trained personnel according to specific instructions. Risk control measures
might include warnings on the imaging device that only authorized personnel should service the
device and the design of a unique tool to access the inside of the device that is only provided to
authorized service personnel.
29.Determine, based on the assessment of the production and service control process
overall, whether management provides the necessary commitment to the production
and service control process to ensure devices meet specified requirements and quality
objectives.
Clause and regulation: [ISO 13485:2003: 4.1; RDC ANVISA 16/2013: 2.2.1]

Companion Document 83
 Medical Device Single Audit Program
Chapter 7
Process: Purchasing

The intent of the Purchasing process is to ensure that purchased, subcontracted, or otherwise
received products and services conform to specified requirements. The organization is expected
to establish and maintain documented controls for planning and performing purchasing activities.
The controls necessary depend on the effect of the product on the quality, safety, and effectiveness
of the finished device. Effective purchasing processes incorporate purchasing requirements and
specifications, the selection of acceptable suppliers based on the capability of the suppliers to
provide acceptable product, the performance of necessary acceptance activities, and maintenance
of the required quality records.
The management representative is responsible for ensuring that the requirements of the quality
management system have been effectively defined, documented, implemented, and maintained. Prior
to the audit of any MDSAP process, interview the management representative (or designee) to obtain
an overview of the process and a feel for management’s knowledge and understanding of the process.
The Purchasing process is integral to the other processes of the MDSAP audit sequence. As the
audit is being performed of the organization’s Measurement, Analysis and Improvement process,
Design and Development process, and Production and Service Controls process, the audit team
should be assessing the affect purchased product has on the quality of the finished device. The
audit team should be using information learned about actual and potential product and process
nonconformities during the audit of the Measurement, Analysis and Improvement process, higher risk
elements and essential design outputs from the design projects reviewed during audit of the Design
and Development process, in addition to significant outsourced product and production processes
identified during the audit of the Production and Service Controls process to make decisions as to
supplier evaluation files to be reviewed during the audit of the Purchasing process.
The organization’s Purchasing process may be reviewed in conjunction with the Measurement,
Analysis and Improvement process, the Design and Development process, and the Production and
Service Controls process, being mindful of the MSDAP process linkages. The Purchasing process
should be considered a critical process for those organizations that outsource essential activities
such as design and development and/or production to one or more suppliers.
Purpose: The purpose of auditing the Purchasing process is to verify that the manufacturer’s
processes ensure that products (e.g. components, materials and services provided by suppliers,
including contractors and consultants) are in conformance with specified purchase requirements,
including quality management system requirements. This is particularly important for those
organizations who outsource activities such as design and development and/or production to
one or more suppliers, and when the supplied product or service cannot be verified by inspection
(e.g. sterilization services). Suppliers include those providers of any product received from outside
the manufacturer, including corporate or financial affiliates, where the product has an effect on
subsequent product realization or the final product.
Outcomes: As a result of the audit of the Purchasing process, objective evidence will show whether
the manufacturer has:

84 Companion Document
A) Defined, documented and implemented procedures to ensure purchased or otherwise supplied
products conform to specified purchase requirements
B) Established criteria for the selection, evaluation and re-evaluation of suppliers based on the type
and significance of the product purchased and the impact of the supplied product on subsequent
product realization or the quality of the finished device
C) Performed the evaluation and selection of suppliers based on the capability of the supplier to
meet specified requirements
D) Ensured the continued capability of suppliers to provide quality products that meet specified
purchase requirements through re-evaluation
E) Determined and implemented an appropriate combination of controls applied to suppliers in conjunction
with acceptance verification activities to ensure conformity to product and quality management system
requirements, based on the impact of the supplied product on the finished device

Links to Other Processes: Management; Design and Development; Measurement,

Analysis and Improvement; Production and Service Controls

Audit Tasks and Links to Other Processes:

1. Verify that planning activities describe or identify products to purchase and processes
to outsource, the specified requirements for purchased products, the requirements
for purchasing documentation and records, purchasing resources, the activities
for purchased product acceptance, and risk management in supplier selection and
purchasing.
Clause and regulation: [ISO 13485:2003: 4.1, 7.1, 7.4.1; TG(MD)R Sch1 P1 2, Sch3 P1 Cl1.4(5)(d)(ii); RDC ANVISA
16/2013: 2.5.1, 2.4; 21 CFR 820.20, 820.50]

Additional country-specific requirements: None

Assessing conformity:

Planning
In planning product realization, the organization must determine as appropriate the quality
objectives and requirements for the purchased products, the processes, documents, and
resources specific to the purchased products, the criteria for purchased product acceptance,
and the required verification, monitoring, inspection, and test activities specific to the purchased
products. Planning of product realization often begins in the design and development of the
product, including the translation of the design into production specifications. The translation of
the design into production specifications includes the establishment of specified requirements for
purchased product.
Quality objectives
Quality objectives are typically expressed as a measurable target or goal. The planning of product
realization should include consideration of how the purchased product, the criteria for purchased
product acceptance, and the required verification, monitoring, inspection, and test activities
specific to the purchased product will achieve the quality objectives.

Companion Document 85
 Links: Design and Development, Management
During the review of a design project, confirm that the organization has considered the effect
of purchased product on the essential design outputs. For suppliers that provide product and
services related to the essential design outputs, the degree of purchasing controls necessary is
commensurate with the effect of the supplied product on the proper functioning of the finished
device. During the audit of the Purchasing process, confirm when necessary that the degree
of control over suppliers of purchased product has been made based on the risk the supplied
product poses to the ability of the finished device to meet specified requirements.

Additionally, confirm when necessary that the quality objectives related to the purchased product
were considered for inclusion in management review.

2. Select one or more supplier evaluation files to audit.

Priority criteria for selection:
• Indications of problems with supplied products or processes from audit of the Measurement,
Analysis and Improvement process
• Suppliers of higher risk products or processes
• Suppliers who provide products or services that directly impact the design outputs required for
proper functioning of the device
• Suppliers of processes that require validation or revalidation
• Newly approved suppliers of products or services
• Suppliers of products or services used in the manufacturing of multiple products
• Suppliers of components or services not covered during previous audits
3. Verify that procedures for ensuring purchased product conforms to purchasing
requirements have been established and documented.
Clause and regulation: [ISO 13485:2003: 7.4.1; TG(MD)R Sch3 P1 Cl1.4(5)(d)(ii); RDC ANVISA 16/2013: 2.5.1; 21
CFR 820.50]

Additional country-specific requirements: None

Assessing conformity:

Procedures
The organization must define, document, and implement procedures to ensure that purchased
product conforms to specified requirements. These procedures commonly contain information as
to the mechanisms by which the organization is going to categorize suppliers based on the risk
the supplied product has on the ability of the finished device to meet specified requirements, the
criteria the organization intends to use to evaluate the suppliers, the means of determination that
a supplier is acceptable, the methods for supplier monitoring, the requirements for re-evaluating
suppliers, and the means by which a supplier might be determined to be unacceptable.

86 Companion Document
 It is important to remember that the requirements for purchasing controls apply to all product
received from an outside source by the finished device manufacturer that have an impact on
product realization, whether a payment occurs or not, and regardless of the corporate or financial
affiliation between the supplier and finished device manufacturer.
4. Verify that the procedures assure the type and extent of control applied to the supplier
and the purchased product is dependent upon the effect of the purchased product on
subsequent product realization or the final product.
Clause and regulation: [ISO 13485:2003: 7.4.1; RDC ANVISA 16/2013: 2.5.2; 21 CFR 820.50]

Additional country-specific requirements: None

Assessing conformity:

Extent of control
The type and extent of control applied to the supplier must take into consideration the affect
the supplied product has on the finished device. Procedures commonly contain methods to
categorize suppliers, based on the importance of the supplied product to the proper functioning
of the finished device and the past history (if applicable) of the supplier.
Be mindful of organizations that use a “one-size-fits-all” approach to managing their suppliers, as
these systems may not provide the necessary amount of evaluation and oversight over suppliers
of products essential for the proper functioning of the finished device.
5. Verify that criteria for the selection, evaluation and re-evaluation of suppliers have been
established.
Clause and regulation: [ISO 13485:2003: 7.4.1; RDC ANVISA 16/2013: 2.5.2, 2.5.3; 21 CFR 820.50(a)]

Additional country-specific requirements: None

Assessing conformity:

Evaluation criteria
The organization must define, document, and implement procedures outlining the criteria for the
selection, evaluation and re-evaluation of suppliers. The procedures for supplier evaluation and
selection typically include such items as the methods by which suppliers will be evaluated and the
means and frequency by which supplier performance will be monitored.
The evaluation of suppliers must provide a means to assess the capability of the supplier to
supply products that meet specified requirements. The organization can assess a supplier’s
capability to supply quality product in a number of ways, including but not limited to performing
supplier audits, first-article inspections, supplier surveys, and reviewing the supplier’s past history
in supplying a similar product or service if applicable.
The organization may also choose to consider the supplier’s conformity with quality management
system requirements through third party certifications; however, third party certification should not
be relied on exclusively in initially evaluating a supplier.

Companion Document 87
6. Verify that suppliers are selected based on their ability to supply product or services
in accordance with the manufacturer’s specified requirements. Confirm that the degree of
control applied to the supplier is commensurate with the significance of the supplied product or service on
the quality of the finished device, based on risk.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.4.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.5.3, 2.4;
21 CFR 820.50(a)]

Additional country-specific requirements:

Australia (TGA):

If the manufacturer outsources to the Australian Sponsor a quality management system requirement
or an obligation on the manufacturer from the Australian regulations, verify that the manufacturer treats
the Sponsor as a supplier and has adequate supplier controls for those activities. For example, making
applications on behalf of the manufacturer to the TGA [TG Act s41EB], representing the manufacturer
in interactions with the TGA [41FN(3)], adverse event reporting, as the first point for handling customer
complaints, as an intermediary in recalls of products [TG(MD) Regs Schedule 3 - Part 1:1.4(3)], or in the
notification of substantial changes to the quality management system or product range or the provision of
records [TG(MD) Regs Schedule 3 - Part 1:1.5, 1.9].

Canada (HC):

Verify that any regulatory correspondent used by the manufacturer is treated as a supplier and is adequately qualified.

Assessing conformity:

Supplier selection
The selection of suppliers must be based on defined criteria. An important concept to remember is that quality
cannot be inspected or tested into products. Finished device manufacturers who choose to conduct product
quality control solely in-house must still assess the capability of suppliers to provide acceptable product.
Some organizations require suppliers to maintain various types of certifications or registrations. While
registrations and third-party certifications may be considered in supplier evaluations, the organization
should not exclusively rely on these methods to perform the initial evaluation of suppliers.
For the supplier(s) the audit team has chosen to review, confirm that the organization’s selection
of the supplier was based on defined criteria commensurate with the risk posed if the supplied
product causes the finished device to not meet specified requirements.

Links: Design and Development, Production and Service Controls

The establishment of the necessary purchasing controls and required acceptance activities is a design output.
The degree of the purchasing controls necessary and extent of acceptance activities should be based on the
risk posed by the product not meeting its specified requirements and essential design outputs.
Auditors may encounter situations where the organization outsources processes that require validation.
During the review of the Purchasing process, review the controls the organization has instituted over suppliers
that perform validated processes. This typically includes confirming that the finished device manufacturer
has reviewed the process validation data generated by the supplier to ensure the process is effective,
reproducible, and stable. This can be particularly important for higher risk validated processes performed by
suppliers, since the finished device manufacturer does not have immediate control over those processes.
The audit team should also consider reviewing the purchasing controls and requirements for
suppliers of products that undergo minimal acceptance activities at the device manufacturer.

88 Companion Document
7. Verify that records of supplier evaluations are maintained.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.4.1; RDC ANVISA 16/2013: 2.3.3, 2.5.3; 21 CFR 820.50(a)]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that the manufacturer establishes and maintains records of approved suppliers, contractors, and
consultants [RDC ANVISA 16/2013: 2.3.3, 2.5.3].

United States (FDA):

Confirm that the manufacturer establishes and maintains records of acceptable suppliers, contractors, and
consultants [21 CFR 820.50(a)(3)].

Assessing conformity:

Records of supplier evaluations

The organization must maintain records of the evaluation of the capability of the supplier to
meet specified requirements. The records should include the mechanism by which the supplier
was evaluated, the results of the evaluation, and the determination of whether the supplier was
deemed to be acceptable.
For the supplier(s) the audit team has selected, review the organization’s evaluation of
the supplier(s). Confirm that the evaluation was made according to defined criteria and is
commensurate with the effect the supplied product has on the essential design outputs.
8. Verify that the manufacturer maintains effective controls over suppliers and product, so
that specified requirements continue to be met.
Clause and regulation: [ISO 13485:2003: 7.4.1; RDC ANVISA 16/2013: 2.5.3; 21 CFR 820.50(a)]

Additional country-specific requirements: None

Assessing conformity:

Monitoring supplier performance

The organization must define and implement processes to monitor the performance of suppliers.
The monitoring of supplier performance should not be based solely on cost considerations or on-
time deliveries. The monitoring of suppliers should take into consideration the actual performance
of the supplier in terms of providing products that meet specified requirements. Examples of
supplier monitoring activities may include, but are not limited to supplier re-audits, statistical
analysis of incoming acceptance results, monitoring of complaints and nonconformities related to
supplied product, independent confirmation of certificate of conformance data, and consideration
of the supplier’s responses to requests for corrective action.
In order for the supplier to maintain a status as an acceptable supplier, the supplier must be
capable of supplying product that consistently meets the manufacturer’s specified requirements.
If supplier monitoring does not demonstrate that the supplier has the capability to provide
acceptable products, the organization must have a means to undertake appropriate action,
including such activities as requesting corrective action from the supplier, and in some cases,
removing the supplier from records of acceptable suppliers.

Companion Document 89
 For the supplier(s) the audit team has chosen to review, confirm that the supplier monitoring is
documented and reviewed by the appropriate individuals responsible for supplier selection. Be
particularly mindful of instances where supplied product has caused complaints and/or product
nonconformities. Verify that the organization has performed the appropriate monitoring of the supplier
and taken actions when necessary, such as requesting the supplier undertake a corrective action.

Links: Production and Service Controls, Measurement, Analysis and Improvement

Organizations are expected to define, document, and implement systems and procedures for
acceptance activities to verify that supplied products conform to specified requirements. Effective
acceptance procedures and systems directly affect the ability of an organization to demonstrate
that supplied products meets specifications. During the audit of the Production and Service
Controls process, confirm that the appropriate acceptance activities have been implemented and
monitored to ensure the received product meets specified requirements.

Additionally, organizations are required to determine, collect, and analyze appropriate data to
demonstrate the ability of suppliers to provide acceptable product. During the audit of the
Measurement, Analysis and Improvement process, confirm that analysis of supplier performance
data has been performed and considered for corrective or preventive action when necessary.

9. Confirm that the re-evaluation of the capability of suppliers to meet specified requirements is performed
at intervals consistent with the significance of the product on the finished device.
Clause and regulation: [ISO 13485:2003: 7.4.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.5.2, 2.4; 21 CFR
820.50(a)]

Additional country-specific requirements: None

Assessing conformity:

Supplier re-evaluation intervals

Organizations must implement the appropriate combination of supplier evaluation, supplier
monitoring, and acceptance activities to provide the necessary confidence in the acceptability of
supplied product. However, supplier evaluation is not a “one-time” assessment. The organization
must ensure the continued capability of the supplier to provide product that meets specified
requirements. The frequency of re-evaluation must be performed according to the organization’s
procedures and at intervals consistent with the significance of the product or service on the
finished device. The frequency of re-evaluation may change based on identified quality problems
with the supplied product.
For the supplier(s) the audit team has chosen to review, confirm that the re-revaluation of the
supplier was performed commensurate with the risk the supplied product poses to the ability of
the finished device to meet specifications.

Link: Measurement, Analysis and Improvement

The frequency and extent of supplier re-evaluation activities may be based, in part, on the
performance of the supplier as demonstrated by such activities as statistical monitoring of the
supplier, monitoring of complaints and nonconformities related to supplied product, and corrective
or preventive actions related to the supplier.

90 Companion Document
10.Verify that the organization assures the adequacy of purchasing requirements for products and services
that suppliers are to provide, and defines risk management activities and any necessary risk control
measures. Confirm that the manufacturer ensures the adequacy of specified purchase
requirements prior to their communication to the supplier.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.4.2, TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 2.5.4, 2.5.6;
21 CFR 820.50(b)]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that purchase orders are approved by a designated person. This approval, including date and
signature, shall be documented [RDC ANVISA 16/2013: 2.5.4].

Assessing conformity:

Adequacy of purchasing information

Purchasing information is commonly provided to suppliers in documents such as, but not limited
to, specification sheets, drawings, contracts, purchase orders, and quality agreements. The
amount of detail required in the purchasing information must be commensurate with the effect of
the supplied product on the performance of the finished device.
Risk control measures
The finished device manufacturer is responsible for the quality and performance of the finished
device. The specified requirements for the finished device cannot be met unless the individual
parts of the finished device meet specifications. While the finished device manufacturer
may require certain risk management activities to be adopted by the supplier to help ensure
acceptability of incoming product, the ultimate responsibility for the finished device is borne by
the finished device manufacturer. The finished device manufacturer is responsible for identifying
any risk control measures that are required for the supplied product. For suppliers that provide
product and services related to the essential design outputs, the degree of necessary risk control
measures is commensurate with the effect of the supplied product on the proper functioning of
the finished device.
Some examples of risk control measures related to supplied product include, but are not
limited to, requiring the supplier to use quality assurance procedures approved by the device
manufacturer, the establishment of inspections or testing of supplied product before shipment
to the manufacturer, requiring each incoming shipment be accompanied by a certificate of
conformance, periodic verification of the certificate of conformance by third-party laboratory
analysis, implementation of acceptance activities at the finished device manufacturer based on
the risk the supplied product poses to the ability of the finished device to meet specifications,
and the verification of validation data by the finished device manufacturer for validated processes
performed by a supplier.
For the supplier(s) files the audit team has selected for review, confirm that risk control measures
have been identified when appropriate and the risk control measures have been implemented and
are effective. If the auditor(s) observe that supplied product has been identified as an underlying
cause of complaints and nonconformities, this can be an indication that the risk control measures
are inadequate or ineffective.

Companion Document 91
11.Verify that the organization documents purchasing information, including where
appropriate the requirements for approval of product, procedures, processes,
equipment, qualification of personnel, and other quality management system
requirements.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.4.2; RDC ANVISA 16/2013: 2.5.4, 2.5.5; 21 CFR 820.50(b)]

Additional country-specific requirements:

Brazil (ANVISA):

Confirm that an agreement is established and documented in which suppliers agree to notify the
manufacturer of any change in the product or service, so that the manufacturer can determine whether the
change affects the quality of the finished product [RDC ANVISA 16/2013: 2.5.5].

United States (FDA):

Verify that purchasing documents contain, where possible, an agreement that the supplier agrees to notify the
manufacturer of changes in products or services that may affect the quality of a finished device [21 CFR 820.50(b)].

Assessing conformity:

Documenting purchasing information

Purchasing information must describe the product to be purchased, including (when appropriate)
the requirements for approval of product, procedures, processes, and equipment, the requirements
for qualification of personnel, and quality management system requirements related to the
purchased product. Where possible, the purchasing information must contain an agreement that
the supplier agrees to notify the manufacturer of changes in products or services that may affect the
quality of the finished device. The manufacturer should approve or reject these changes, based on
the impact of the change on the essential design outputs of the finished device.
Purchasing information may be recorded in written or electronic format, but must be documented.
12.Verify that documents and records for purchasing are consistent with traceability
requirements where applicable.
Clause and regulation: [ISO13485:2003 7.4.2, 7.5.3.2; RDC ANVISA 16/2013: 2.5.4, 6.4; 21 CFR 820.65, 820.160]

Additional country-specific requirements: None

Assessing conformity:

Traceability
It is the responsibility of the organization to establish procedures for traceability. For devices that
are not implanted and are not life-supporting or life-sustaining, the organization has the flexibility to
determine which raw materials and components are required to be traceable, commensurate with
the risk posed by the device in the event the component does not meet specified requirements.
Manufacturers of finished devices whose failure could result in serious injury or harm to the user,
or are implanted or life-supporting or life-sustaining must implement a traceability system. The
traceability system must allow for each batch of finished devices to be traced by a control number
or similar mechanism throughout the distribution chain. Organizations must provide for the
control and traceability of components and materials used in the manufacture of the device when
these could cause the finished device to not meet specified requirements.

92 Companion Document
 The determination of which components and raw materials may be required to be traceable
may be made by the organization using risk management tools, such as risk analysis, or by the
identification of the components and processes used to fulfill the essential design outputs.
13.Confirm that the verification (inspection or other activities) of purchased products is
adequate to ensure specified requirements are met. Confirm that the manufacturer has
implemented an appropriate combination of controls applied to the supplier, the specification of purchase
requirements, and acceptance verification activities that are commensurate with the risk of the supplied
product upon the finished device.
Clause and regulation: [ISO 13485:2003: 4.2.1, 7.1, 7.4; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 2.5.2,
5.3.1, 5.3.2, 5.3.3; 21 CFR 820.50, 820.80(b)]

Additional country-specific requirements:

Brazil (ANVISA):

Verify that the manufacturer has established and maintains procedures to ensure the retention of
components, raw materials, in-process products and returned products until inspections, tests or other
specified verifications have been performed and documented [RDC ANVISA 16/2013: 5.3.3].

Assessing conformity:

Establishment of acceptance activities

The organization must establish an appropriate combination of supplier assessment and receiving
acceptance activities to ensure products and services are acceptable for their intended use. After
a supplier has been approved, the necessary acceptance activities for the supplied product must
be implemented. The degree of acceptance activities may vary with the type and significance of
the product or service on the quality of the finished device and the extent of measures performed
by the supplier to ensure product acceptability.
Organizations are expected to define, document, and implement processes and procedures
for acceptance activities to verify that supplied products conform to specified requirements.
Recognized acceptance activities include, but are not limited to, inspections, tests, reviews of
certificates of analysis, and supplier audits. Effective acceptance procedures and systems directly
affect the ability of an organization to demonstrate the process and product meet specifications.
It is important to remember that acceptance activities apply to any incoming component,
subassembly, or service, whether a payment occurs or not, and regardless of the manufacturer’s
financial or business arrangement with the supplier.
14.Verify that records of verification activities are maintained.
Clause and regulation: [ISO 13485:2003: 7.4.3; RDC ANVISA 16/2013: 5.3.1; 21 CFR 820.80]

Additional country-specific requirements: None

Assessing conformity:

Records of verification activities

The records of verification activities must show the supplied product is in conformity with specified
requirements. If nonconformities are found by the organization, confirm the organization has
appropriately handled the nonconformity according to the organization’s established procedures.

Companion Document 93
 The organization can address nonconforming product by taking action to eliminate the detected
nonconformity (e.g. sorting an incoming lot of components to remove components that do not
meet specifications), authorizing its use, release, or acceptance under concession, or by taking
action to prevent its original intended use (e.g. allowing the components to be used as training
aids to show production personnel the difference between an acceptable and unacceptable
component).
For the supplied product(s) the audit team has chosen to review, confirm the records of
verification activities have been maintained. One way to perform this task is to request a sample
of verification records for the chosen product and confirm the acceptance activities have been
documented, including the documentation and appropriate disposition of nonconforming product.

Link: Production and Service Controls

The audit team may encounter instances where product has been deemed acceptable by
the successful completion of acceptance activities but the product is later shown to not meet
specified requirements (e.g. failure of the device due to nonconforming component leading to
product complaint). This can be an indication that the acceptance activities are not sufficient to
identify nonconformities; or were not appropriately conducted. Confirm that the organization has
taken the appropriate action to determine the suitability of the acceptance activities. For example,
the organization may need to validate the test method used for incoming acceptance to ensure
the test method is actually capable of identifying nonconforming product.

15.Verify that data from the evaluation of suppliers, verification activities, and purchasing
are considered as a source of quality data for input into the Measurement, Analysis and
Improvement process.
Clause and regulation: [ISO 13485:2003: 8.4; RDC ANVISA 16/2013: 7.1.1.1; 21 CFR 820.100]

Additional country-specific requirements: None

Assessing conformity:

Collection and analysis of data

The organization is responsible for assuring the supplied product meets specified requirements.
In addition to supplier evaluation, the assurance that the supplied product meets specified
requirements is accomplished with the implementation of appropriate acceptance activities
and monitoring complaints and nonconformities associated with purchased product. The
data regarding acceptance activities and nonconformities must be analyzed as appropriate to
determine the need for corrective or preventive action.

94 Companion Document
 Links: Measurement, Analysis and Improvement
The organization must determine the appropriate acceptance activities for supplied product,
based on the essential design outputs of the device and the risk the device poses if specified
requirements are not met. Confirm as necessary that supplied product was evaluated as to
the effect on the essential design outputs. Additionally, verify that the appropriate acceptance
activities were implemented, based on the potential effect the supplied product poses to the
essential design outputs.

Organizations are required to determine, collect, and analyze appropriate data to demonstrate the
ability of suppliers to provide acceptable product. During the audit of the Measurement, Analysis
and Improvement process, confirm that analysis of supplier performance data from evaluation
and monitoring supplier process activities has been performed and considered for corrective or
preventive action when necessary.

16.Determine, based on the assessment of the overall purchasing, whether management

provides the necessary commitment to the purchase process.
Clause and regulation: [ISO 13485:2003: 4.1; RDC ANVISA 16/2013: 2.2.1]

Companion Document 95
96 Companion Document