While medical device companies can get caught up with processes and regulations, especially concerning ISO 13485, medical device companies are still businesses. And since they are businesses, they will have customers who purchase their products or services. In fact, ISO 13485 has an entire clause (7.2) dedicated to customer-related processes to ensure this aspect is incorporated into a company’s QMS.
More than most clauses of ISO 13485, customer-related processes will significantly vary based on the company’s nature and the product or service they produce. Document control and change control are consistent regardless of what the device is or the level of the business. However, the way a company will interact with its customers is entirely different if the company is supplying hospitals compared to a company that is a contract manufacturer of medical devices.
Let’s break down ISO 13485 clause 7.2 customer-related processes to understand what is required by ISO 13485, and how it can vary based on the nature of the company.
Table of Contents
Determination of Requirements for Customer-Related Processes(7.2.1)
The first requirement is all about a company determining what is needed to provide their customers with the correct product or service. It’s important to note that a company may not have a standalone procedure for determining customer requirements. The different elements of this clause may be fulfilled through a variety of processes, including the process for receiving orders and design control processes. This is okay as long as each element is included and can be identified during an audit.
Requirements specified by the customer
Companies need to understand what requirements are being specified by their customer. For some products, this will heavily tie into the design process which ensures that the correct device is being designed.
For other products, the requirements will be directly specified by the customer. A contract manufacturer, for instance, may be given all of the part prints, assembly instructions, acceptance criteria, etc. from its customer. This makes it very easy to understand the customer’s requirements. Another example would be a sterilization supplier, which receives the product from their customer along with the sterilization criteria.
Another part of this clause is that the requirements include delivery and post-delivery activities. Using the example of the contract manufacturer, they may be given instructions from their customers on how to package the product in order to avoid damage during delivery. Post-delivery activities can include installation and servicing requirements for the product to function correctly.
Requirements not stated by the customer
The next clause includes the need to fulfill requirements not stated by the customer, but necessary for specified use. This may seem odd at first but makes sense when considered in the context of the medical device industry. Companies have a duty to supply medical devices that are both safe and effective. If an ISO 13485 company receives requirements that are incomplete or do not include an element that is necessary for a device to function safely, it needs to include that element anyway or reach out to its customer for further clarification.
We are going to use the example of an ISO 13485-certified sterilization supplier. Sterilizing companies will have a much greater understanding of sterilization than their customers. Even if a specific element of the sterilization is not received with the requirements of their customer, they should still perform these elements to properly sterilize the product. The customer’s ignorance is not justification for a company to do the wrong thing concerning its product or service.
Regulatory requirements
Medical device companies should also consider any regulatory requirements when they are supplying products to a customer. This could include environmental or material-based regulations related to its product, or product or process-based regulations. I’ve worked with companies that must follow specific dimensional requirements related to the connection point of a component (ISO 80369). The requirements should be determined during design control and carried out when the product is going to be sent to a customer.
This also includes the regulatory requirements of the different countries in which the product will be sold. The process of understanding where a medical device can be legally marketed should be incorporated into the design control process, or considered when a company plans on providing products/services to a specific area.
User training
Medical device companies need to determine if the product they are providing will require user training. This is also a good time to consider the different types of customers of the product. For example, it’s important to understand if the person using the device will be a nurse, doctor, or someone in technical services. The actual user of the product is the most essential person to train when the product is being supplied. Sometimes companies will include user training as part of their risk control measures, which puts greater importance on user training.
Additional Requirements
The final aspect of clause 7.2.1 is that a company needs to determine any other customer-related requirements. This could include requirements for the design or labeling of a device. I won’t go into too much detail here as the additional requirements will be completely different depending on the nature of the medical device company.
Review of Requirements (7.2.2)
The next part of customer-related processes that we will cover is the review or requirements related to product. While the determination of requirements ties in heavily to the design control process of a company, the review of requirements is all about what happens when a company receives an order. The clause even specifies that the review should be conducted prior to the organization’s commitment to supply product to the customer.
The company must ensure that the product requirements of their customer are clear and understandable. If the company is unsure about any part of the requirements, this should be clarified with the customer before any orders are created. They also must make sure that any changes to orders or product requirements are properly documented.
At all times, companies should ensure that applicable regulatory requirements are being met. A company should not supply a product that runs counter to regulations, as this could cause legal issues for the company.
A medical device company must also make sure that if their product requires training they have the resources available to provide the training. Since user training has already been specified to be a requirement for the safe delivery of a product, a company cannot agree to provide the product without the proper training.
When a company receives an order or a request for an order, it needs to verify that it can sufficiently meet the customer’s requirements. This is most applicable to a contract manufacturing type of company. Can the company actually manufacture the product that is being requested? There is a significant risk in producing a medical device, and this risk increases if a company is biting off more than it can chew.
The next requirement in this section is that the records of the results of the review shall be maintained. What does this look like? In many cases, this is just a copy of the customer’s purchase order as well as the company’s sales order (or similar document). What an auditor wants to see is that there is a clear line from how orders are received to how orders are fulfilled. If there is more customer involvement than is typical, there may be other quality agreements and similar documents that can be included as well.
Finally, the standard states that when product requirements are changed, the organization shall ensure that relevant documents are amended. An easy example of this requirement would be a customer of a contract manufacturer updating their part prints. The contract manufacturer will want to ensure that the new documents are updated in its document control system and that its employees are trained on the new requirements.
Again, I want to include that the review or product requirements does not need to be a standalone document. The requirements are also typically included in processes like “customer order fulfillment” or similar processes that match the spirit of this clause.
Communication (7.2.3)
The final section of customer-related processes is Communication, however, the communication extends beyond customers. Organizations must plan and document procedures for communication, related to;
- Product information. This includes product information listed on websites, catalogs, and information distributed through a sales team. Any piece of advertising material related to the device must have specific language used so it does not violate FDA regulations.
- Enquiries, Order Handling. This refers to a company having a well-defined process for receiving customer orders, that includes the ability to change orders when needed.
- Customer Feedback and Complaints. Once the product has been sent to a customer, the customer must have a way of communicating back to the company if there are any issues with the products or complaints. Timely complaint handling is an essential component of a medical device company, so the manner and responsibilities for complaint communication should be clearly defined.
- Advisory notices. Companies should again have clear processes and responsibilities for when complaints need to be reported to regulatory agencies.
Finally, companies must be able to communicate all other types of information to regulatory authorities. This can include 510(k) submissions, updates of products with a 510(k), and any other information that must be sent to regulatory agencies such as a company moving locations.
Wrapping Up
That was a review of section 7.2 Customer-Related Processes for ISO 13485. While many of these principles are broader business principles, they are still essential to a well-run medical device QMS.
If you have any questions or comments about customer-related processes, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.