ISO 13485 Training Requirements: The Complete Guide

Are you struggling to ensure your training program meets ISO 13485 training requirements? You’ve come to the right place. This article will cover all of the ins and outs of the Human Resources section (6.2) of ISO 13485:2016, and provide a complete guide to creating a compliant training procedure.

Training is one of the most important things for a company to get right if it wants to be successful. While many companies are able to train their employees, this doesn’t always translate to a process that meets ISO 13485 training requirements. For that reason, it’s essential to know how to adapt your training program to easily meet all of the requirements.

That’s why we are providing this step-by-step guide on how to create a training program while answering some commonly asked questions along the way.

What are the ISO 13485 Training Requirements?

The ISO 13485 training requirements are very broad, which is one of the things Medical Device companies struggle with the most. This is especially true with the first statement of section 6.2:

Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.

So what does this look like in practice? In general, this section of the training requirements is referenced when it comes to job descriptions. When you are hiring an engineer, what are the requirements? Do they need to have an engineering degree (appropriate education), ISO 13485 training, and a certain number of years of experience?

These questions are often found in the job descriptions of companies. For this reason, it is useful to have job descriptions available for specific roles and ensure the Human Resources department is aware of their responsibilities.

There are some exceptions though, that include things like outside training. For example, at a company I previously worked with, everyone who was involved in internal audits was required to go through an ISO 13485 internal auditing course provided by an outside company. This is something that might not be found in a job description, and would not be handled by internal training.

While it would be possible to include these items with the rest of your training documentation, it can be somewhat difficult in practice. Luckily, auditors tend to look at more specific items of training during ISO 13485 audits. For this reason, companies mainly need to make sure that all of the information is available and present for each employee, and can be accessed during an audit.

What do the more specific training items look like? This is training on company-specific procedures for processes like complaint handling, part inspection, and device assembly. These types of processes are specific to each company, and cannot be verified by someone just possessing a college degree.

As we move through the rest of the article we’ll find out how to determine who needs to be trained in different QMS procedures, what those procedures are, how to complete training, and how to document the training.

Who Needs to be Trained?

Despite what you may think, not everyone in the company needs to have QMS training in order to meet ISO 13485 training requirements. What the standard says, is that an organization must:

• a) determine the necessary competence for personnel performing work affecting product quality;
• b) provide training or take other actions to achieve or maintain the necessary competence;

Based on that statement, we know that anyone affecting product quality is required to have the training to achieve the necessary competence. So, who affects product quality? Here is a list of departments that typically fall under this category, and should be included in the training program:

1. Assemblers, operators, or anyone responsible for building any part of a Medical Device, including any components.
2. Quality Inspectors.
3. QA personnel, including anyone handling customer complaints, nonconforming material, Corrective Actions, etc.
4. Warehouse employees who receive or package material.
5. Engineers, especially any engineers who would be involved with New Product Development or the creation of risk-based files, such as an FMEA.
6. Employees involved with purchasing. While the job might not be as direct as the others listed, purchasing components or materials that meet quality requirements is an essential task.

While those positions always require training, there are also some positions that are on the fence. These job roles may or may not require training based on their specific role within your company:

1. Customer Service or Sales personnel. If they are going to be receiving customer complaints, there is a good chance that they need to be trained on your complaint handling procedures, as complaints are related to product quality.
2. Marketing personnel. While this may seem odd, marketing employees at Medical Device companies should be aware of how any marketing material can impact regulations. You do not want to say the wrong thing and end up with a 483 observation or FDA Warning Letter.
3. Managers. This depends on the size of the organization and the different layers of management within that organization. In general, the closer a manager is to any of the activities listed above, the more likely they are to require training in QMS procedures.
4. Maintenance workers. Someone who adjusts the sprinklers outside of the facility is not performing work related to product quality. However, a maintenance worker who is directly involved with the validation of a machine should likely have the required training.

There are also some instances where outside vendors or suppliers may require training in your quality procedures. Some examples of this would be an outside contractor performing internal audits for your company or a supplier performing your inspection processes at their site.

At a company I previously worked for which had a cleanroom, the company responsible for cleaning the cleanroom had to ensure that all of their employees were trained in our cleanroom entrance process.

So, which job roles do not require training? While your companies specific processes should always inform your requirements, there are specific job roles that can typically be excluded from ISO 13485 training requirements:

1. Accountants. This role is often not involved directly with product quality and is not often the subject of discussion during quality audits.
2. The IT department, as long as the company is not providing Software as a Medical Device (SAMD).

Note: while those departments are not directly related to product quality, at the end of the day a company’s goal should be to develop a strong training program that also meets ISO 13485 training requirements. For this reason, you may choose to have everyone at the company involved with the training program.

An easy way to look at who requires training is to think about what types of records are reviewed during an audit. For example, it is often the case that quality inspection records are reviewed during an audit. If you are going to be discussing a specific topic during the audit, personnel involved with that topic should have training records that are complete and available.

Determining Training Requirements

Once you have decided who will require training, you need to determine what the required training is for each job role, in order to meet ISO 13485 training requirements.

To determine the required training, consider the essential elements of each job role and how they interact with product quality. Some of the required training should be easy to establish, such as initiating a non-conformance for a product or assembling a medical device. Other processes might be trickier to evaluate, such as filling out a purchase order.

Examine each of the departments that require training, and what the day-to-day activities are for those departments. If those activities are at all related to product quality or the overall function of your QMS, the activities should require training.

One common way of listing training requirements is in a training matrix. The training matrix can be specific to each department, and document what training is required for each job role or department.

Here is a very simple example of a training matrix:

Another thing to consider is that each of the processes in the training matrix should reference a controlled document. While this is not specifically listed in ISO 13485 section 6.2, it is fundamental in the operation of a medical device QMS. If you are going to claim that a process is essential to product quality, it would open up too many questions during a quality audit if you decide to not document that process.

Something to note is that you can group training requirements into job families for specific departments, especially if there is a significant overlap in the responsibilities. In many organizations, a specific job title may change and develop over time. Alternatively, a department may have roles with several different levels (Quality Inspector I, Quality Inspector II, etc).

In these situations, you may not need to specify training for each job title. Your training matrix can instead list what training is required for each department.

While overall the ISO 13485 training requirements are very broad, there is one line of the standard that is specific about what training is required. This is covered in the next section.

Achievement of Quality Objectives

As mentioned, ISO 13485 section 6.2 includes one line that is more specific about required training for employees:

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives;

I have seen this interpreted in two different ways by medical device companies.

The first interpretation is that this line is referring to the quality objectives of each process. For example, when someone is assembling a medical device, they are required to know what will lead to the successful assembly of that device. Or, when a quality inspector is inspecting a device, they need to know how the inspection is related to the overall achievement of a successful process.

This line of thinking is similar to what is listed in FDA regulations. FDA 21 CFR part 820.25 (b)(1) states:

As part of their training, personnel shall be made aware of device defects which may occur from the improper performance of their specific jobs.

Here, we can see that the FDA is requiring medical device manufacturers to train employees on what types of defects may occur for a device, and how that defect is related to their job.

The second interpretation is that this line is referring to the overall quality objectives of the company, referencing ISO 13485 5.4.1. These companies choose to include training on the Quality Policy and Quality Objectives for each employee so that employees are aware of their role in meeting those Quality Objectives.

One thing to note is that section 5.3 (Quality Policy) specifically says that the Quality Policy is “communicated and understood within the organization”. To satisfy this requirement, many organizations include the Quality Policy in the training for every employee. This can be documented in your training matrices and training system.

If you are going to err on the safe side, it’s best to train employees on both interpretations to satisfy ISO 13485 training requirements. Train employees on the possible defects that are relevant to their activities. At the same time, train employees on the company’s Quality Policy and overall Quality Objectives.

Performing Training

Now that you’ve determined what training is required, you need to understand how your company is going to perform that training to meet ISO 13485 training requirements.

The standard does not list any specific ways that training should be performed, so it is left to each company to determine how they are going to perform training.

The training can be as simple as “read-and-understand” training for every job role. In this situation, the employees are just required to read each of the procedures listed in their training matrix. While this may not be the most thorough training, I have seen it be successful for medical device companies to meet ISO 13485 training requirements. The benefits of this type of training are that it can be completed very quickly and requires very few resources.

Another type of training that might be more relevant is on-the-job training. Here an employee actually walks through the specific process they need to follow (as mentioned, the on-the-job training should still reference controlled documents).

Other types of training that an organization may decide to perform are classroom training performed either by someone within the organization or an outside company, online training, group training, or workshops.

The way the training is performed is entirely up to the company and is based on the resources available, the risks present in the organization, and what types of software the company is using (more discussion in the Documenting Training Requirement section).

Another thing to consider is when training will be performed.

Training is first typically conducted when an employee joins the company. Your training procedure can list a specific timeframe, where each employee is required to be trained by a deadline once they are hired.

Training should also be conducted periodically, including when a procedure is updated to a new revision, or on an annual basis depending on the process (training on the Quality Policy is often given multiple times, even if the Quality Policy does not change).

Training may also need to be conducted when a new procedure is introduced, a new piece of equipment is purchased, or an employee moves to a new job role. Employees might also be re-trained on a process as the result of a nonconformance or audit finding.

Evaluating Competence (Effectiveness of Training)

Once you have performed training, ISO 13485 requires you to evaluate the effectiveness of your training actions.

Luckily, we’ve written a whole other article on three different ways to demonstrate the effectiveness of training for ISO 13485. Check that out if you are looking for ideas on how to evaluate competence.

One thing to keep in mind is the note in section 6.2:

The methodology used to check effectiveness is proportionate to the risk associated with the work for which the training or other action is being provided.

As always, a risk-based approach is emphasized throughout ISO 13485. This means that your approach to training and checking effectiveness may need to change based on the risk level of either the process or the medical device being produced.

Documenting Training

The last thing to keep in mind when you are developing a process to meet ISO 13485 training requirements is how the training is going to be documented and recorded.

How you are going to document training is heavily reliant on what software your company is currently using or will be using.

Some companies use eQMS systems with a fully integrated training module. If this is your situation, use the module provided. You do not need to reinvent the wheel when it comes to meeting ISO 13485 training requirements.

Other ways to document training include:

1. Integrate the training program into an already existing ERP or electronic document management system. While there might not be a specific module, if you can find a creative way to record training within an existing system, you can save yourself a lot of time and trouble.
2. Use standalone training software. Training software is readily available to document training and meet ISO 13485 training requirements. This is not as simple as having an integrated training program, but can still be a reliable way to record training.
3. Use a paper-based document management system. This requires the most time and energy, but you can still be successful in meeting ISO 13485 training requirements while using a paper-based system.

Whichever way you choose to record training, here are some of the items you will need to record and have available during an ISO 13485 audit:

• Job description
• Training requirements for each role (or training matrix)
• Evidence of company-specific training
• Evidence of outside training or education
• Criteria for evaluating the effectiveness of training
• Evidence that the effectiveness of training was evaluated

Wrapping Up

That was the complete guide to building a training program that meets ISO 13485 training requirements. Hopefully, you were able to learn something helpful and feel more confident about developing a medical device training program. If you have any questions or ideas, feel free to leave them in the comments below.

If you feel this guide was useful, check out our ISO 13485 section to see more guides, or subscribe to our newsletter below.