This article will cover all the ins and outs of the Human Resources section (6.2) of ISO 13485:2016, and provide a complete guide to creating a compliant training procedure.
Training is one of the most important things for a company to get right if it wants to be successful. While many companies can train their employees, this doesn’t always translate to a process that meets ISO 13485 training requirements. For that reason, it’s essential to know how to adapt your training program to easily meet all of the requirements.
That’s why we are providing this step-by-step guide on how to create a training program while answering some commonly asked questions along the way.
Table of Contents
The Why
There are many reasons to have an effective training program.
The first is that anyone directly involved with a medical device needs to have sufficient training to make the device safe and effective. This includes everyone from purchasing personnel to production workers to design engineers. A medical device company’s first priority should be safety, and they should do everything they can to work towards that end.
Another is that people enjoy training. A common complaint among employees is that a company’s onboarding process is insufficient. People want to be set up for success in their roles, and this involves proper training on what they will be doing. Many times, people also want the opportunity to expand from their role and take on new skills, and this is handled through training.
An organization should not create a training program just to meet requirements, but instead to benefit their customers, patients, and employees.
What are the ISO 13485 Training Requirements?
The ISO 13485 training requirements are very broad, which is one of the things Medical Device companies struggle with the most. This is especially true with the first statement of section 6.2:
Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.
So what does this look like in practice?
When a company is hiring an engineer, what are their requirements? Does the engineer need to have an engineering degree (appropriate education), ISO 13485 training, and a certain number of years of experience?
These questions are often answered in the job descriptions of companies. For this reason, it is necessary to have job descriptions available for roles and ensure the Human Resources department is aware of their responsibilities.
However, there are also plenty of training and skills that are not required from someone joining a company but will need to be acquired once they join the company. There is also competence that can only be gained by organization specific training.
As we move through the rest of the article we’ll find out how to determine who needs to be trained in different QMS processes, what those processes are, how to complete training, and how to document the training.
Who Needs to be Trained?
Despite what you may think, not everyone in the company needs training on QMS procedures to meet ISO 13485 training requirements. What the standard says, is that an organization must:
- a) determine the necessary competence for personnel performing work affecting product quality;
- b) provide training or take other actions to achieve or maintain the necessary competence;
Based on that statement, we know that anyone affecting product quality must have the training to achieve the necessary competence. So, who affects product quality? Here is a list of departments that typically fall under this category, and should be included in the training program:
- Assemblers, operators, or anyone responsible for building any part of a Medical Device, including any components.
- Quality Inspectors.
- QA personnel, including anyone handling customer complaints, nonconforming material, Corrective Actions, etc.
- Warehouse employees who receive or package material.
- Engineers, especially any engineers who would be involved with New Product Development or the creation of risk-based files, such as an FMEA.
- Managers. The extent of training will depend on how close the managers are to the work being conducted. If a manager is completing similar processes as production workers or administrative personnel, they should have all of the same training as those employees. If they are a higher level manager or executive, they should have training sufficient to perform their duties as top management, including items like management review.
- Employees involved with purchasing.
While those positions always require training, some positions are on the fence. These job roles may or may not require QMS training based on their specific role within your company:
- Customer Service or Sales personnel. If they are going to be receiving customer complaints, they need to be trained on your complaint handling procedures, as complaints are related to product quality.
- Marketing personnel. While this may seem odd, marketing employees at Medical Device companies should be aware of how marketing material relates to regulations. You do not want to say the wrong thing and end up drawing the ire of the FDA or other regulatory agencies.
- Maintenance workers. Someone who adjusts the sprinklers outside of the facility is not performing work related to product quality. However, a maintenance worker who is directly involved with the validation of a machine needs the required training.
There are also some instances where outside vendors or suppliers may require training in your quality processes. Some examples of this would be an outside contractor performing internal audits for your company or a supplier performing your inspection processes at their site.
At a company I previously worked for which had a cleanroom, the company responsible for cleaning the cleanroom had to ensure that all of its employees were trained in our cleanroom entrance process.
So, which job roles do not require QMS training? While your company’s specific processes should always inform your requirements, there are specific job roles that can typically be excluded from ISO 13485 training requirements:
- Accountants. This role is often not directly involved with product quality and is not often the subject of discussion during quality audits.
- The IT department, as long as the company is not providing Software as a Medical Device (SAMD).
Note: while those departments are not directly related to product quality, at the end of the day a company’s goal should be to develop a strong training program that also meets ISO 13485 training requirements. For this reason, a company should strive to have everyone at the company involved with the training program.
Determining Training Requirements
Once you have decided who will require training, you need to determine what the required training is for each job role to meet ISO 13485 training requirements.
To determine the required training, consider the essential elements of each job role and how they interact with product quality. Some of the required training should be easy to establish, such as initiating a non-conformance for a product or assembling a medical device. Other processes might be trickier to evaluate, such as filling out a purchase order.
Examine each of the departments that require training, and what the day-to-day activities are for those departments. If those activities are related to product quality or the overall function of your QMS, the activities should require training.
One common way of listing training requirements is in a training matrix. The training matrix can be specific to each department, and document what training is required for each job role or department.
Here is a very simple example of a training matrix:
Another thing to consider is that each of the processes in the training matrix should reference a controlled document. While this is not specifically listed in ISO 13485 section 6.2, it is fundamental in the operation of a medical device QMS. If you are going to claim that a process is essential to product quality, it would open up too many questions during a quality audit if you don’t document that process.
Something to note is that you can group training requirements into job families for specific departments, especially if there is a significant overlap in the responsibilities. In many organizations, a specific job title may change and develop over time. Alternatively, a department may have roles with several different levels (Quality Inspector I, Quality Inspector II, etc).
In these situations, you don’t want to specify training for each job title. Your training matrix can instead list what training is required for each department.
While overall the ISO 13485 training requirements are very broad, there is one line of the standard that is specific about what training is required. This is covered in the next section.
Achievement of Quality Objectives
As mentioned, ISO 13485 section 6.2 includes one line that is more specific about required training for employees:
d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives;
I have seen this interpreted in two different ways by medical device companies.
The first interpretation is that this line refers to the Quality Objectives of each process. For example, when someone is assembling a medical device, they are required to know what will lead to the successful assembly of that device. Or, when a quality inspector is inspecting a device, they need to know how the inspection is related to the overall achievement of a successful process.
The second interpretation is that this line refers to the overall Quality Objectives of the company, referencing ISO 13485 5.4.1. These companies choose to include training on the Quality Objectives for each employee so that employees are aware of their role in meeting those Quality Objectives.
Another thing to note is that section 5.3 (Quality Policy) specifically says that the Quality Policy is “communicated and understood within the organization”. To satisfy this requirement, organizations should include the Quality Policy in the training for every employee. This can be documented in your training matrices and training system.
If you are going to err on the safe side, it’s best to train employees on both interpretations to satisfy ISO 13485 training requirements. Train employees on the possible defects that are relevant to their activities. At the same time, train employees on the company’s Quality Policy and overall Quality Objectives.
Performing Training
Now that you’ve determined what training is required, you need to understand how your company is going to perform that training to meet ISO 13485 training requirements.
The standard does not list any specific ways that training should be performed, so it is left to each company to determine how they are going to perform training.
The training can be as simple as “read-and-understand” training for every job role. In this situation, the employees are just required to read each of the procedures listed in their training matrix.
However, I will caution that while I have seen it be successful for medical device companies to meet ISO 13485 training requirements, I don’t think anybody believes this is the most effective or enjoyable training. The benefits of this type of training are that it can be completed very quickly and requires very few resources.
Another type of training that might be more relevant is on-the-job training. Here an employee walks through the specific process they need to follow (as mentioned, the on-the-job training should still reference controlled documents).
For higher-risk processes and more effective training, organizations can also perform “classroom” style training with employees. To maximize impact, companies should use experienced personnel who bring excitement to the training process and increase engagement.
Many times companies will also include outside training in their requirements. For example, at a company I previously worked with, everyone who was involved in internal audits was required to go through an ISO 13485 internal auditing course provided by an outside company.
The way the training is performed is up to the company and is based on the resources available, the risks present in the organization, and what types of software the company is using (more discussion in the Documenting Training Requirement section).
Another thing to consider is when training will be performed.
Training is typically first conducted when an employee joins the company as part of onboarding. Your training procedure can list a specific timeframe, where each employee is required to be trained by a deadline once they are hired.
Training should also be conducted periodically, on an annual basis depending on the process (training on the Quality Policy is often given multiple times, even if the Quality Policy does not change), and when a procedure is updated to a new revision.
Training may also need to be conducted when a new procedure is introduced, a new piece of equipment is purchased, or an employee moves to a new job role. Again, companies should try and consider when retaining is either necessary or will benefit employees.
Evaluating Competence (Effectiveness of Training)
Once you have performed training, ISO 13485 requires you to evaluate the effectiveness of your training actions.
Luckily, we’ve written a whole other article on three different ways to demonstrate the effectiveness of training for ISO 13485. Check that out if you are looking for ideas on how to evaluate competence.
One thing to keep in mind is the note in section 6.2:
The methodology used to check effectiveness is proportionate to the risk associated with the work for which the training or other action is being provided.
As always, a risk-based approach is emphasized throughout ISO 13485. This means that your approach to training and checking effectiveness may need to change based on the risk level of either the process or the medical device being produced.
For this reason, read-and-understand is generally not good enough for high-risk processes.
Documenting Training
The last thing to keep in mind when you are developing a process to meet ISO 13485 training requirements is how the training is going to be documented and recorded.
How you are going to document training is heavily impacted by what software your company is currently using or will be using.
Some companies use eQMS systems with a fully integrated training module. If this is your situation, use the module provided. You do not need to reinvent the wheel when it comes to meeting ISO 13485 training requirements.
Other ways to document training include:
- Integrate the training program into an already existing ERP or electronic document management system. While there might not be a specific module, if you can find a creative way to record training within an existing system, you can save yourself a lot of time and trouble.
- Use standalone training software. Training software is readily available to document training and meet ISO 13485 training requirements. This is not as simple as having an integrated training program, but can still be a reliable way to record training.
- Use a paper-based document management system. This requires the most time and energy, but you can still be successful in meeting ISO 13485 training requirements while using a paper-based system.
Whichever way you choose to record training, here are some of the items you will need to record and have available during an ISO 13485 audit:
- Job description
- Training requirements for each role (or training matrix)
- Evidence of company-specific training
- Evidence of outside training or education
- Criteria for evaluating the effectiveness of training
- Evidence that the effectiveness of training was evaluated
Wrapping Up
That was the complete guide to building a training program that meets ISO 13485 training requirements. Hopefully, you were able to learn something helpful and feel more confident about developing a medical device training program. If you have any questions or ideas, feel free to leave them in the comments below.
If you feel this guide was useful, check out our ISO 13485 section to see more guides, or subscribe to our newsletter below.