ISO 13485 Clause 6: Resource Management

ISO 13485 Clause 6: Resource Management

Clause 6 is where auditors decide whether your organisation can consistently run the QMS: competent people, suitable infrastructure, controlled work environment, and resourcing decisions with traceable evidence.

Scope covered: 6.1 provision of resources, 6.2 human resources (competence, awareness, training), 6.3 infrastructure, and 6.4 work environment and contamination control. Use the evidence tables below to build an audit-ready record set.

Jump to Clause 6 Evidence Table Jump to Implementation Sequence Go to ISO 13485 Clause Hub (Clauses 4–8) Pricing

What Clause 6 Proves Under Audit

Clause 6 is not “HR admin”. It is a capability proof clause: auditors test whether resources are planned, provided, maintained, and verified as effective through records.

Auditor sampling reality (what gets tested):
  • Competence is defined per role and backed by evidence (not just training attendance).
  • Training effectiveness is verified (post-training checks, supervised sign-off, error-rate impact, competency re-check).
  • Infrastructure is suitable and maintained (planned maintenance, utilities, controlled IT where relevant).
  • Work environment and contamination control are defined, monitored, and enforced where product cleanliness is relevant.
  • Resourcing decisions exist as controlled outputs when gaps are detected (audit findings, CAPA trends, quality KPI drift).

Jump Links (Clause 6 Subclauses)

Internal Links (Implementation Flow)

Proof And Conversion Links

Related Reading

6.1 Provision Of Resources

Operational requirement: the organisation must identify resource needs, provide them, and prove the decision trail when gaps are detected.

Control You ImplementMandatory Records (Objective Evidence)Auditor TestsMajor NC Triggers
Resource planning and escalation system:
  • Resource plan linked to QMS processes and KPIs
  • Triggers: CAPA backlog, audit findings, complaint trends, change volume, training noncompliance
  • Decision gate: approve staffing/equipment/validation spend or formally accept risk with documented rationale
  • Resource plan (controlled) + revision history
  • Resourcing decisions (approvals) tied to triggers
  • Capacity evidence (headcount plan, training capacity, maintenance capacity)
  • Pick one quality signal (e.g., CAPA aging spike) and trace to resourcing decision and outcome.
  • Sample management review outputs that include resourcing actions.
  • Known backlogs persist without decisions or rationale.
  • Resourcing is informal (no records of approval/denial/acceptance of risk).

6.2 Human Resources (Competence, Awareness, Training)

Operational requirement: define competence for roles that affect product quality and compliance, ensure personnel are competent, and verify training effectiveness.

Hard-Lock Rules (What Auditors Expect To Be True)

  • Role competence is defined (skills/knowledge/authorisations per role, including delegated decision authorities).
  • Training is risk-ranked: higher-risk tasks require stronger qualification (supervised sign-off, practical assessment).
  • Effectiveness is verified (not just attendance): pass/fail criteria exists for critical training.
  • Competence is maintained: re-qualification triggers exist (process changes, recurring errors, long absence, audit finding).
Control You ImplementMandatory RecordsAuditor TestsMajor NC Triggers
Competence management system:
  • Role-based competence profiles
  • Training matrix (role → required training/qualification)
  • Qualification method defined per training type (read-and-understand vs practical vs exam)
  • Effectiveness verification method and acceptance criteria
  • Job descriptions + authority matrix for quality-impact roles
  • Training matrix (controlled)
  • Training records (attendance) + effectiveness checks (test results, observation sign-off)
  • Competence sign-off record per person/role
  • Pick one role that releases product or approves deviations: prove competence and authorisation.
  • Pick one “critical training” item: verify pass criteria and evidence of effectiveness.
  • Verify training changes after process change (change control linkage).
  • Training done with no effectiveness evidence for high-risk tasks.
  • Matrix exists but is outdated or not aligned to roles.
  • People perform quality-impact work without recorded competence/authorisation.

6.3 Infrastructure

Operational requirement: infrastructure must support conformity and be maintained. Auditors test whether failures are detected, controlled, and prevented from impacting product.

Infrastructure DomainControlsMandatory RecordsAudit Failure Patterns
Facilities & Utilities
  • Defined requirements for space, utilities, cleanliness zones (where applicable)
  • Maintenance planning and reactive maintenance controls
  • Failure response plan (containment, product impact assessment)
  • Planned maintenance schedule + completion logs
  • Breakdown/repair records + impact assessments
  • Environmental alarms/events log (if used)
  • Maintenance is informal; no completion evidence.
  • Breakdowns occur with no product impact evaluation record.
IT / QMS Tools (Where Used)
  • Access control and role permissions for QMS records
  • Backup/restore evidence and incident management
  • Change control for systems impacting QMS records
  • User access review records
  • Backup logs + restore test evidence
  • IT incident log + corrective actions
  • Shared accounts; uncontrolled access.
  • No evidence backups are effective.

6.4 Work Environment And Contamination Control

Operational requirement: define environment conditions needed for product conformity and control contamination where cleanliness can affect safety/performance.

Boundary rule: If the device, packaging, or manufacturing step is sensitive to contamination, the environment becomes a controlled process: defined conditions, monitoring, response triggers, and documented verification.
Control AreaControlsMandatory RecordsAuditor Tests
Environment Requirements
  • Define required conditions (temperature/humidity/cleanliness/ESD/etc) where relevant
  • Define zones and gowning/entry rules where relevant
  • Define cleaning and contamination prevention routines
  • Work environment specification (controlled)
  • Cleaning schedules + completion records
  • Gowning/entry compliance records (if used)
  • Show defined conditions and prove they are implemented (records, not statements).
  • Trace one deviation (missed cleaning, excursion) to containment and impact evaluation.
Monitoring & Response
  • Monitoring plan (what is monitored, frequency, acceptance limits)
  • Deviation triggers and escalation rules
  • Product impact assessment requirement for excursions
  • Monitoring logs (environmental checks, particulate, bioburden where applicable)
  • Deviation records + investigations + actions
  • Impact assessment records
  • Pick one alarm/deviation and test closure quality and product disposition decisions.

Clause 6 Auditor Evidence Table (6.1–6.4)

Use this as an audit index: each row states what to show, where auditors sample, and what fails most often.

Subclause Evidence (Records Only) Where Auditors Sample Common Major NC Indicators
6.1 Resource plans; resourcing approvals/denials with rationale; capacity evidence linked to QMS signals Management review outputs + quality KPI signals Known backlogs persist without documented resourcing decisions
6.2 Role competence profiles; training matrix; training records + effectiveness checks; authorisation sign-offs Roles performing release/verification/complaint/CAPA/change decisions Training exists without effectiveness evidence; competence not defined per role
6.3 Maintenance plans/logs; breakdown logs + impact assessments; IT access reviews; backup/restore test evidence Recent failures/incidents and how they were contained Maintenance informal; incidents with no product impact evaluation
6.4 Environment specs; cleaning logs; monitoring logs; excursion/deviation records + impact assessments Excursions, cleaning misses, contamination events, trending Environment defined but not monitored; no impact assessment when excursions occur

Implementation Sequence (Fastest Path To Audit-Ready Clause 6)

  1. Define quality-impact roles and their decision authorities (release, deviations, CAPA approvals, training sign-off).
  2. Build competence profiles per role and publish a controlled training matrix.
  3. Set effectiveness verification rules per training type (exam, practical assessment, supervised sign-off, observation).
  4. Run a baseline competence assessment for current staff and close gaps with documented qualification evidence.
  5. Implement maintenance control for facilities/utilities and define failure response with impact assessment records.
  6. Define work environment requirements and contamination controls where applicable; implement monitoring and deviation escalation.
  7. Connect triggers: CAPA trends, audits, complaints, and change control must trigger re-training, resourcing, or environment controls updates.

Common Certification Audit Failure Patterns (Clause 6)

  • Training as attendance only: no evidence of effectiveness for critical tasks.
  • Competence not defined: no role profiles; matrix does not reflect what people actually do.
  • Authorisation is informal: people release/approve without recorded authority.
  • Maintenance records missing: planned maintenance exists but is not completed or evidenced.
  • Environment controls are declarative: conditions defined with no monitoring or excursion response evidence.
  • No trigger logic: audits/CAPA trends do not force training, staffing, or infrastructure decisions.

FAQ (Clause 6)

What is the difference between training and competence under ISO 13485 Clause 6?

Training is an input. Competence is the outcome proven by evidence: assessment results, supervised sign-off, error-rate reduction, or demonstrated capability to perform the task and make required decisions.

What records do auditors ask for first in Clause 6?

Training matrix, competence/authorisation evidence for quality-impact roles, maintenance logs, and any environment monitoring/deviation records where contamination could affect product.

How do we prove training effectiveness?

Use defined pass criteria: exams, practical observation checklists, supervised task sign-off, and objective outcome checks (reduced repeat errors, fewer deviations, fewer CAPA recurrences).

When do we need contamination control?

When product safety/performance can be affected by contamination, cleanliness, handling, or environment conditions. The control becomes auditable when conditions are defined, monitored, and excursions trigger documented impact assessments.

How does Clause 6 link to Clause 5 and Clause 8?

Clause 5 drives resourcing decisions; Clause 8 generates triggers (audit findings, CAPA trends, complaints) that force training, staffing, infrastructure, or environment actions under Clause 6.

Implementation support navigation:
1 1

ISO Cloud Consulting

Training & Competence Kit

$149.00 USD
$149.00 USD
Sale Sold out
View full details
1 1

ISO Cloud Consulting

QMS Core System (Clauses 4–6 & 8)

$699.00 USD
$699.00 USD
Sale Sold out
View full details
1 1

ISO Cloud Consulting

Complete ISO 13485:2016 QMS Pack

$2,099.00 USD
$2,099.00 USD
Sale Sold out
View full details

Build Clause 6 Evidence Fast

Clause 6 audit outcomes are decided by competence evidence, maintenance logs, and environment controls. If you are missing role competence definitions, training effectiveness checks, or infrastructure/work environment records, use the kits above or move to a full system build.

Contact Us
Pricing