While medical device companies can get caught up with processes and regulations, they are still businesses. And since they are businesses, they will have customers who purchase their products or services. In fact, ISO 13485 has an entire clause (7.2) dedicated to customer-related processes to ensure this aspect is incorporated into a company’s QMS.
Like many clauses of ISO 13485, customer-related processes will significantly vary based on the company’s nature and the product or service they produce. The way a company will interact with its customers is entirely different if it is supplying hospitals compared to a company that is a contract manufacturer of medical devices.
Let’s break down ISO 13485 clause 7.2 customer-related processes to understand what is required by ISO 13485, and how it can vary based on the nature of the company.
Table of Contents
Determination of Requirements for Customer-Related Processes(7.2.1)
The first requirement is about a company determining what is needed to provide its customers with the correct product or service. It’s important to note that a company may not have a standalone procedure for determining customer requirements. The different elements of this clause may be fulfilled through a variety of processes, including the process for receiving orders and design control processes. This is okay as long as each element is included and can be identified during an audit.
Requirements specified by the customer
Companies need to consider the requirements of their customers. For some products, this applies to the end user and ties into the design process and the intended use of the device.
For other products, the requirements will be specified by the direct customer. A contract manufacturer, for instance, may be given product prints, assembly instructions, acceptance criteria, etc. from its customer. This makes it very easy to understand the customer’s requirements. Another example would be a sterilization supplier, which receives the product from their customer along with the sterilization criteria.
Another part of this clause is that the requirements include delivery and post-delivery activities. Using the example of the contract manufacturer, they may be given instructions from their customers on how to package the product in order to avoid damage during delivery. Post-delivery activities can include installation and servicing requirements for the product to function correctly.
Requirements not stated by the customer
The next clause includes the need to fulfill requirements not stated by the customer, but necessary for specified use. This may seem odd at first but makes sense when considered in the context of the medical device industry. Companies have a duty to supply medical devices that are both safe and effective. If an ISO 13485 certified company receives requirements that are incomplete or do not include an element that is necessary for a device to function safely, it needs to include that element anyway or reach out to its customer for further clarification.
We are going to use the example of an ISO 13485-certified sterilization supplier. Sterilizing companies will have a much greater understanding of sterilization than their customers. Even if a specific element of the sterilization is not received with the requirements of its customer, it should still perform these elements to properly sterilize the product. The customer’s ignorance is not justification for a company to do the wrong thing concerning its product or service.
This also ties into risk management when designing a device. Companies need to consider both the use of the device and any reasonably foreseeable misuse.
Regulatory requirements
Medical device companies should also consider any regulatory requirements when they are supplying products to a customer. This could include environmental or material-based regulations related to its product as well as product or process-based regulations. I’ve worked with companies that must follow specific dimensional requirements related to the connection point of a component (ISO 80369). The requirements should be determined during design control and carried out when the product is going to be sent to a customer.
This also includes the regulatory requirements of the different countries in which the product will be sold. The process of understanding where a medical device can be legally marketed should be incorporated into the design control process and considered when supplying products/services to a specific area.
User training
Medical device companies need to determine if the product they are providing will require user training. This is also a good time to consider the different types of customers of the product. For example, it’s important to understand if the person using the device will be a nurse, doctor, or someone in technical services.
The user of the product is the most essential person to train when the product is being supplied. Sometimes companies will include user training as part of their risk control measures, which puts greater importance on user training. Companies also have the option of providing training in a digital format where it makes sense.
Additional Requirements
The final aspect of clause 7.2.1 is that a company needs to determine any other customer-related requirements. This could include requirements for the design or labeling of a device. I won’t go into too much detail here as the additional requirements will be completely different depending on the nature of the medical device company.
Review of Requirements (7.2.2)
The next part of customer-related processes that we will cover is the review of requirements related to product. While the determination of requirements ties in heavily to the design control process of a company, the review of requirements is all about what happens when a company receives an order. The clause even specifies that the review should be conducted prior to the organization’s commitment to supply product to the customer.
The company must ensure that the product requirements of their customer are clear and understandable. If the company is unsure about any part of the requirements, this should be clarified with the customer before any orders are created. It must also make sure that any changes to orders or product requirements are properly documented.
At all times, companies should ensure that applicable regulatory requirements are being met. A company should not supply a product that runs counter to regulations, as this could cause legal issues for the company.
A medical device company must also make sure that if their product requires training they have the resources available to provide the training. Since user training has already been specified as a requirement for the safe delivery of a product, a company cannot agree to provide the product without the proper training.
When a company receives an order or a request for an order, it needs to verify that it can sufficiently meet the customer’s requirements. Does it have the products available? If it needs the product to be manufactured, does the company have the capacity and necessary raw materials? Will the product be able to be supplied by the customer’s due date?
Additionally, a contract or component manufacturer can ask if it can actually manufacture the requested. There is significant risk in producing medical devices and components, and the risk increases if a company is biting off more than it can chew.
The next requirement in this section is that the records of the results of the review shall be maintained. What does this look like? In many cases, this is just a copy of the customer’s purchase order with the signature (electronic or otherwise) of the individual who reviewed the purchase order. For a more complex product, there should be evidence of the review, which could be detailed in a formal contract.
A company should also be able to trace the customer’s order to the resulting sale order. What an auditor wants to see is a clear line from how orders are received to how orders are fulfilled. If there is more customer involvement than is typical, there may be other quality agreements and similar documents that can be included as well.
Finally, the standard states that when product requirements are changed, the organization shall ensure that relevant documents are amended. The changes could be something simple like the delivery date, or complex changes to the product. Depending on the extent of the change, the correct personnel should review and approve the change.
Again, I want to state that the review or product requirements do not need to be a standalone procedure. The requirements are also typically included in processes like “customer order fulfillment” or similar processes that match the spirit of this clause.
Communication (7.2.3)
The final section of customer-related processes is Communication, however, the communication extends beyond customers. Organizations must plan and document procedures for communication, related to;
- Product information. This includes product information listed on websites, catalogs, and information distributed through a sales team. Any piece of advertising material related to the device must have specific language used so it does not violate FDA regulations. It’s best if marketing personnel are trained on requirements related to advertising.
- Enquiries, Order Handling. This refers to a company having a well-defined process for receiving customer orders, that includes the ability to change orders when needed.
- Customer Feedback and Complaints. Once the product has been sent to a customer, the customer must have a way of communicating back to the company if there are any issues with the products or complaints. Timely complaint handling is an essential component of a medical device company, so the manner and responsibilities for complaint communication should be clearly defined.
- Advisory notices. Companies should again have clear processes and responsibilities for when complaints need to be reported to regulatory agencies.
Finally, companies must be able to communicate all other types of information to regulatory authorities. This can include 510(k) submissions, updates of products with a 510(k), and any other information that must be sent to regulatory agencies such as a company moving locations.
Wrapping Up
That was a review of section 7.2 Customer-Related Processes for ISO 13485. While many of these principles are broader business principles, they are still essential to a well-run medical device QMS.
If you have any questions or comments about customer-related processes, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.