There is a long list of requirements, procedures, activities, or arrangements that you’re obliged to document to establish a quality management system that is compliant with ISO 13485 and FDA 21 CFR 820. For many of the requirements, the standard/regulation just requires them to be documented while for others the need for a documented procedure is explicitly called out.
If you have responsibility for documenting the processes needed for the quality management system, at a minimum, you must have a solid understanding of those processes which are required to be documented in a procedure by ISO 13485/FDA 21 CFR 820.
To help provide a baseline for you as you work to develop a new quality management system or as you prepare for an upcoming audit or inspection, I’ll provide a list of mandatory documents for ISO 13485 & FDA 21 CFR 820 compliance and provide a few tips to consider.
Which Procedures Must I Document?
For a Full Quality System, you should expect to have at least 23 documented procedures in addition to a quality manual.
Keep in mind that this list assumes all of the requirements are applicable to the activities that your organization undertakes. If there are some activities that are not applicable to your organization then the list of required procedures may be reduced. However, these excluded activities, if permitted by applicable regulatory requirements, must be documented as exclusions within your quality manual.
This is, of course, a bare-bones approach for a medical device manufacturer that is just starting out and plans to seek ISO 13485 certification and compliance with 21 CFR 820. As your organization grows you will likely need to include a few other procedures to ensure applicable regulatory requirements are consistently met along with additional documented work instructions to ensure standardized work is being performed as a basis for continuous improvement.
Minimum Required Procedures
- Quality Manual (ISO 13485, Sec. 4.2.2)
- Software Validation (ISO 13485, Sec. 4.1.6, 7.5.6, 7.6 / 21 CFR 820.70(i))
- Control of Documents (ISO 13485, Sec. 4.2.4 / 21 CFR 820.40)
- Control of Records (ISO 13485, Sec. 4.2.5 / 21 CRF 820.180)
- Management Review (ISO 13485, Sec. 5.6.1 / 21 CFR 820.20(c))
- Training (ISO 13485, Sec. 6.2 / 21 CFR 820.25)
- Infrastructure (ISO 13485, Sec. 6.3, 21 CFR 820.140, 820.150, 820.160, 820.170)
- Risk Management (ISO 13485, Sec. 7.1)
- Design and Development (ISO 13485, Sec. 7.3.1, 7.38, 7.39 / 21 CFR 820.30)
- Purchasing Controls (ISO 13485, Sec. 7.4.1 / 21 CFR 820.50, 820.80(b))
- Control of Production (ISO 13485, Sec. 6.4.1, 7.5.1, 7.5.11 / 21 CFR 820.70, 820.120, 820.130)
- Control of Servicing (ISO 13485, Sec. 7.5.4 / 21 CFR 820.200)
- Process Validation (ISO 13485, Sec. 7.5.6 /21 CFR 820.75)
- Sterilization Process and Sterile Barrier System Validation (ISO 13485, Sec. 7.5.7)
- Product Identification and Traceability (ISO 13485, Sec. 7.5.8, 7.5.9 / 21 CFR 820.60, 820.65)
- Control of Monitoring and Measuring Equipment (ISO 13485, Sec. 7.6 / 21 CFR 820.72)
- Feedback Process (ISO 13485, Sec. 8.2.1)
- Complaint Handling & Medical Device Reporting (ISO 13485, Sec. 8.2.2 / 21 CFR 820.198 / 21 CFR 803)
- Regulatory Reporting (ISO 13485, Sec. 8.2.3 / FDA 21 CFR 806)
- Internal Audits (ISO 13485, Sec. 8.2.4 / 21 CFR 820.22)
- Monitoring and Measurement of Product (ISO 13485, Sec. 8.2.6 / 21 CFR 820.80, 820.250)
- Control of Nonconforming Product (ISO 13485, Sec. 8.3 / 21 CFR 820.90)
- Analysis of Data (ISO 13485, Sec. 8.4 / 21 CFR 820.250)
- Corrective Action and Preventive Action (ISO 13485, Sec. 8.5.2, 8.5.3 / 21 CFR 820.100)