Top ISO 13485 Nonconformances and How to Prevent Them

Top ISO 13485 Nonconformances and How to Prevent Them

A while back, I ran a poll asking which clauses of ISO 13485 people thought generated the most nonconformances. The response was fascinating, and I promised to dig deeper.

Well, I’ve done just that—and here are the results.

Findings Overview

Clause 8 (Performance Evaluation) – 32 findings

This clause covers critical areas like complaints handling, reporting to regulatory authorities, corrective actions, preventive actions, analysis of data, and internal audits. It’s not surprising it tops the list—it demands continuous monitoring and improvement, which can be tricky to sustain over time. Many findings here point to inconsistent follow-through, incomplete root cause analyses, or not analysing the correct data sources. A key issue found is a lack of consideration of adequate territories for reporting to authorities or justification for the lack of investigation into complaints.

The most common nonconformance of clause 8 and how to prevent it

Lack of CAPA records being able to demonstrate effectiveness verification

Within clause 8.5.2 (f), ISO 13485: 2016 refers to procedures requiring documentation for reviewing the effectiveness of action taken.

The area that takes the prize for being the most common of the most common is poor or lack of effectiveness verification.

The effectiveness verification phase of a CAPA is commonly overlooked, it seems like the problem statement, corrections investigation, root cause analysis and corrective actions take most of the limelight from it.

Firstly, why is effectiveness verification important?

Effectiveness verification of corrective actions taken is important, simply because it ensures what you have implemented as a corrective action has worked. This is through ensuring that the cause of nonconformity has really been eliminated and seeks to prove that it does not currently and will not recur.

If there isn’t an effectiveness verification of corrective actions taken, then we can’t be sure that our corrective action is effective. We also won’t be able to determine at which point of the CAPA system was deficient to result in a recurrence. This could be things such as a poor problem statement subsequently led to poor root cause analysis and as a result the corrective actions were not suitable to prevent recurrence.

How to prevent this?

Do not make effectiveness verification an afterthought.

It is possible to define effectiveness verification when developing the problem statement of the nonconformance. Typically, Quality Management Systems (QMS) can often wait until the corrective actions have been defined to determine an effectiveness verification. However, it is recommended to define a “draft” effectiveness verification method when first experiencing the nonconformance. This can be reviewed when it comes to this stage in the CAPA lifecycle, but this typically stops the wrong items being determined.

Clause 7 (Product Realisation) – 20 findings

This clause governs everything from design and development to production and service provisions. Issues here often arise from weak documentation, incomplete design controls, or challenges in supplier management—particularly in quality and written agreements. These findings are a reminder that robust systems for planning and execution are essential.

The most common nonconformance of clause 7 and how to prevent it

Lack of Supplier Notification Agreements

Within clause 7.4.2 of ISO 13485, the standard defines the following:

Purchasing information shall include, as applicable, a written agreement that the supplier notify the organisation of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchased requirements.

This requirement has really good intent, but as we know in the wake of the implementation of Regulation 2017 / 745 and Regulation 2017 / 746, good intent is not always implemented positively with positive results…

A common area this causes issues for is when small organisations are trying to get documentation in place with larger service or product providers to control change. Many of these larger organisations will just tell them to simply go away. Hard luck.

Further, another common area is that in contracts it often says something along these lines – “the organisation shall be notified of change”. In the section from the standard, there are a couple of phrases that are in bold and underlined. One of these being “Prior”. This word is key to change control.

Additionally, organisations, particularly smaller ones, may and will struggle getting certain suppliers to agree to this. This brings us to the other phrase “as applicable”. An organisation should most definitely try, however, if the supplier isn’t playing ball, they need to consider whether they are right to be their supplier, or whether it is worth moving potentially. The organisation can also look at other controls including heightened inspections.

How to Prevent this?

Be essential. Firstly, ask the question – do we need this for this supplier? If not, justify this well and document this against the supplier file.

Organisations often jump to trying to implement massive quality agreements, with a large number of requirements which does not help their case in trying to get manufacturers to sign up to change control. So start small, can the provision for change control prior to the change occurring form part of the questionnaire or Purchase Orders raised?

Clause 4 – Quality Management System (14 Findings)

Clause 4: Quality Management System (QMS) Requirements

Clause 4 findings are critical because they involve the overall structure and maintenance of the QMS, making it a foundational area of compliance. Common issues include misaligned quality manuals, missing or incomplete records, and inadequate version control. These gaps often lead to broader systemic nonconformances, as the QMS serves as the backbone of regulatory compliance. Another frequent focus area under this clause is the medical device file.

The most common nonconformance of clause 4 and how to prevent it

Scope Misalignment in the Quality Manual

Inconsistent Scope Definition: The quality manual does not align with the scope stated on the ISO 13485 certificate. Organisations fail to clearly justify exclusions or non-applications, such as Clause 7.5.6 (validation of processes), or omit references to mandatory procedures.

Furthermore, it is common to see confusion around the scope statement of the ISO 13485 QMS certificate vs the scope of the QMS i.e., the sites, divisions etc., that form part of the QMS.

It is critical to ensure that what the Certification Body (CB) or Notified Body (NB) has documented about your QMS aligns with what is in your quality manual.

The quality manual provides an overarching framework for the QMS. A misaligned or incomplete manual can result in misinterpretation of requirements, noncompliance with ISO 13485, and inconsistencies during audits. This presents easy findings for auditors, and is really just an inconvenient finding to have to manage. It is really an administrative issue that takes up valuable time that could be spent elsewhere in the QMS.

How to Prevent this?

Define and Justify the Scope – Clearly articulate the scope of the QMS in the quality manual, ensuring it aligns with the scope on the ISO 13485 certificate. Provide detailed justifications for any exclusions, with supporting evidence, such as records of risk assessments or process validations.

Regular Updates: Establish a schedule for reviewing and updating the quality manual, ensuring it reflects current operations, product lines, and regulatory changes.

Cross-Check Against Procedures: Ensure the quality manual includes references to all mandatory procedures and processes required by ISO 13485. This can be done as part of periodic document reviews, or internal audits.

Clause 4 nonconformances often stem from inadequate attention to the quality manual, medical device file, and document control processes. By clearly defining the QMS scope, maintaining updated and comprehensive documentation, and ensuring traceability across records, organisations can build a solid foundation for their QMS and avoid systemic compliance issues.

Clause 5 (Management Responsibility) – 9 findings

This clause focuses on leadership, including management reviews and quality objectives. Findings here often point to insufficient engagement from leadership or incomplete reviews that don’t follow the requirements for inputs as defined by ISO 13485. It shows how crucial top-down commitment is to sustaining compliance. A lack of designated management representative appointment letters is a theme, as well as non-measurable quality objectives.

The most common nonconformance of clause 5 and how to prevent it

Unmeasurable Quality Objectives

The most common nonconformance found was the establishment of vague or unmeasurable quality objectives. The requirement from clause 5.4.1 of ISO 13485: 2016 specifies that “Quality objectives shall be measurable”. Therefore, objectives such as “improve customer satisfaction” or “enhance training compliance” may sound meaningful but often lack the quantitative indicators (KPIs) required to evaluate progress effectively. This leads to ambiguity and challenges in assessing whether the organisation is achieving its goals during periodic reviews. It also doesn’t help the organisation being able to actually achieve said quality objectives, as they will have no baseline to be able to determine at what point they have achieved their objectives or not. The lack of measurable quality objectives creates a risk of nonconformances from audits, however, repeat quality objectives that are never closed, or able to evidence progress also create another element of ineffectiveness of the measurement of the QMS.

How to Prevent This?

For simplicity, the SMART Framework provides a good basis to define quality objectives:

• Specific: Clearly define what you want to achieve. For example, instead of saying “improve customer satisfaction,” specify, “achieve an average score of 85% or higher on annual customer satisfaction surveys.”
• Measurable: Attach KPIs or metrics to each objective. For instance, for “enhance training compliance,” include a metric like “achieve 95% on-time completion of mandatory training sessions.”
• Achievable: Set realistic goals that reflect your organisation’s resources and capabilities.
• Relevant: Align objectives with your company’s broader quality policy and strategic goals.
• Time-bound: Include deadlines to drive accountability, such as “reduce customer complaints by 10% within the next 12 months.
• Additionally, integrating quality objectives into continuous improvement of the wider organisation is an excellent way to make these visible to personnel other than the quality department.

Quality objectives should not exist in isolation—they should be tied to broader continuous improvement and business wide efforts. For example:

• Use quality objectives to guide corrective and preventive actions (CAPA).
• Identify trends from management reviews to refine processes or enhance resource allocation.
• If the organisation is implementing a QMS in order to try and get certification to ISO 13485, then a great quality objective is to gain certification to ISO 13485. This is specific, very measurable, achievable, relevant and time bound. It meets all of the smart criteria.

Summary of Nonconformances Related to ISO 13485:2016 Clause 5.6.2 (Management Review Inputs)

One of the recurring nonconformances identified during audits of quality management systems (QMS) certified to ISO 13485:2016 relates to Clause 5.6.2: Management Review Inputs. This clause specifies the mandatory inputs that must be considered during management review meetings. Nonconformances typically arise when organisations fail to adequately address or document these inputs, leading to gaps in compliance.

Common Nonconformance

1. Incomplete Input Coverage:
   • Management reviews do not comprehensively address all required inputs outlined in Clause 5.6.2, which include:
     • Audit results (internal and external).
     • Feedback from customers.
     • Process performance and product conformity.
     • Status of preventive and corrective actions.
     • Follow-up actions from previous reviews.
     • Changes that could affect the QMS.
     • Recommendations for improvement.
     • New or revised regulatory requirements.
2. Lack of Supporting Evidence:
   • Inputs such as customer feedback or audit results are mentioned in the meeting minutes but lack supporting evidence or data to substantiate the discussion.
3. Inadequate Monitoring of Changes:
   • Changes affecting the QMS, such as regulatory updates, personnel changes, or new product introductions, are often overlooked or not formally considered.
4. Superficial Discussion of Key Inputs:
   • Discussions around critical inputs, such as process performance, are too general, with no detailed analysis of metrics, trends, or root causes.
5. Poor Traceability to Previous Reviews:
   • Follow-up actions from prior management reviews are not adequately tracked, and progress updates are missing.
6. Limited Stakeholder Involvement:
   • Key personnel responsible for specific inputs (e.g., quality, production, or regulatory affairs) are not included in the review process, resulting in incomplete or inaccurate inputs.

Impact of Nonconformance

Failing to comprehensively address the inputs defined in Clause 5.6.2 can have serious implications, including:

• Inability to identify opportunities for improvement or risks to the QMS.
• Gaps in compliance with regulatory requirements, especially in jurisdictions like the EU and US.
• Increased likelihood of product or process nonconformances due to inadequate monitoring.
• Audit findings or certification delays during surveillance or recertification audits.

How to Prevent These Nonconformances

1. Create a Standardised Template for Management Reviews:
   • Develop a checklist or template that explicitly lists the mandatory inputs from Clause 5.6.2. This ensures that no input is overlooked during the review.
2. Ensure Data-Driven Discussions:
   • Gather and analyse data related to each input before the meeting. Provide summaries, trends, and metrics to facilitate informed decision-making.
3. Assign Ownership for Inputs:
   • Assign responsibility for each input to relevant personnel or departments (e.g., quality for audits, customer service for feedback). Ensure their participation in the review.
4. Include Follow-Up Tracking:
   • Incorporate a dedicated section in the review template for tracking follow-up actions from previous reviews, with timelines and responsible parties.
5. Monitor Regulatory and QMS Changes:
   • Establish a mechanism to capture and report changes impacting the QMS, such as regulatory updates, new product introductions, or changes in organisational structure.
6. Train Leadership on ISO 13485 Requirements:
   • Ensure that top management understands the significance of each required input and their role in driving an effective management review process.

Key Takeaway

Nonconformances related to Clause 5.6.2 often stem from incomplete, undocumented, or poorly structured management review processes. Organisations can prevent these issues by standardising review practices, assigning ownership for inputs, and ensuring data-driven discussions. A robust approach to management review not only ensures compliance with ISO 13485 but also strengthens the organisation’s ability to identify risks, opportunities, and areas for improvement.

Common Nonconformances by Clause and How to Prevent Them

Clause 6: Resource Management

Although Clause 6 generates fewer findings compared to other areas, the nonconformances often reveal critical weaknesses related to training, competency, resource allocation, and contamination control. These findings underscore the importance of managing people, infrastructure, and work environments as foundational elements of an effective QMS.

The most common nonconformance of clause 6 and how to prevent it

Internal Auditor Training (5 findings)

ISO 13485 has very specific requirements when compared to ISO 9001 for example. It differs massively in certain items such as elements related to sterilisation and traceability. A common issue seen is that organisations often utilise internal auditors that are trained to audit in ISO 9001, but do not have any specific auditing or general training in ISO 13485.

Impartial and competent internal audits are crucial for identifying gaps, maintaining compliance, and fostering continuous improvement. Without an effective internal auditing system, CBs or NBs will identify nonconformances that should have been identifying internally. This puts more pressure on the QMS to manage these issues and can sometimes cause the CB or NB to look towards management not resourcing the QMS effectively. 

How to prevent this?

Training and Certification: Ensure all internal auditors are trained, not necessarily certified as an auditor in ISO 13485 requirements, but they must have evidence of training. Consider external courses or certification programs to build their skills.

It is key to maintain records of auditor competency, including how the evaluation of the effectiveness of their training has been assessed. I.e., how did the organisation test whether the training worked?

Key Takeaway

Clause 6 findings highlight the importance of investing in your people, infrastructure, and work environment. Organisations can prevent nonconformances by formalising documentation, maintaining training records, and ensuring that all controls, especially those related to contamination, are well-documented and reviewed regularly. Proactive resource management strengthens the QMS and contributes to consistent compliance with ISO 13485