Clause 7 is where ISO 13485 becomes operational

ISO 13485 Clause 7 is where requirements stop being theoretical and start becoming controlled outputs, controlled suppliers, controlled production, controlled traceability, and controlled release decisions.

For most companies, this is also where audits get real. Auditors do not just want procedures. They want to see whether your product realization process actually works across 7.1 to 7.6: planning, customer requirements, design and development, purchasing, production and service provision, validation, traceability, preservation, and control of monitoring and measuring equipment.

This page is built to do two things at once:

  • explain what auditors actually sample in Clause 7;
  • route visitors into the right system, toolkit, or consulting path based on the gap they really need to fix.
Explore Services

ISO 13485 Clause 7 is the operational spine of the QMS. It is where requirements become controlled design outputs, approved suppliers, validated production processes, executable traceability, calibrated acceptance decisions, and defendable product release.

Jump To Clause 7 Map Jump To Clause 7 Solutions Jump To Auditor Sampling Path Talk To ISO Cloud Consulting

What auditors are really testing in Clause 7

Requirements control

Are product requirements captured and flowed into the system?

Auditors test whether customer, regulatory, usability, labeling, servicing, and performance requirements were translated into controlled records, not left in emails or informal decisions.

Execution control

Can you prove the device was built, checked, and released under control?

They follow the evidence chain from approved specifications into supplier control, work instructions, in-process checks, final acceptance, and release decisions.

Risk linkage

Do risk controls actually show up in real operations?

A strong Clause 7 system shows that design, supplier, validation, traceability, and release decisions all reflect the real risk profile of the device and its intended use.

Audit defensibility

Can the organization answer sampling without scrambling?

The strongest teams do not just have templates. They have clean evidence packs, controlled records, and a structure that survives real audit sampling across 7.1 to 7.6.

Clause 7 map: what each subclause is supposed to control

7.1 Planning 7.2 Customer Processes 7.3 Design & Development 7.4 Purchasing 7.5 Production & Validation 7.6 Equipment & Measurement
7.1

Planning of product realization

Define how the product will move through controlled stages, with responsibilities, acceptance criteria, resources, records, and risk-linked controls.

Auditor focus

Planned stages, defined outputs, acceptance criteria, verification/validation logic, and evidence that the plan was actually used.

7.2

Customer-related processes

Capture requirements correctly, review them before commitment, control changes, and keep communication channels linked to complaint and feedback handling.

Auditor focus

Requirement intake, feasibility review, change review, and evidence that downstream specifications match what was agreed.

7.3

Design and development

Control design planning, inputs, outputs, reviews, verification, validation, transfer, and design changes with a defendable DHF structure.

Auditor focus

Inputs-to-outputs traceability, V&V evidence, design transfer, and clean design change impact logic.

Dedicated Clause 7.3 Page Shop 7.3 Collection
7.4

Purchasing

Suppliers, outsourced processes, purchasing information, change notification, and incoming verification must be controlled in proportion to risk.

Auditor focus

Supplier evaluation, re-evaluation, quality clauses, change notification, and verification of purchased product.

Shop 7.4 Collection
7.5

Production and service provision

Control production records, in-process checks, cleanliness, validation of special processes, traceability, preservation, installation, servicing, and product release support.

Auditor focus

Released configuration, batch or device history evidence, validation records, traceability execution, and preservation or storage controls.

Shop 7.5 Collection Traceability & Device File
7.6

Control of monitoring and measuring equipment

Acceptance decisions are only credible if the equipment, software, and measurement system behind them are identified, calibrated, controlled, and reviewed when something goes out of tolerance.

Auditor focus

Equipment register, calibration status, traceable records, and documented impact logic for any out-of-tolerance event.

Shop 7.6 Collection

Shop by real Clause 7 gap

Best for 7.3 gaps

Design controls, DHF structure, V&V, and transfer

Use this route if your organization owns design, manages design changes, or needs a stronger DHF, traceability, review, verification, validation, and transfer structure.

Design Controls Collection Design Controls Execution System DHF Essentials Toolkit
Best for 7.4 gaps

Supplier control and outsourced production oversight

Use this route if you rely on critical suppliers, contract manufacturers, outsourced sterilization, or external processes that directly affect device quality and release confidence.

Supplier Control Collection Supplier Control System Outsourced Production Oversight Pack
Best for 7.5 gaps

Production control, process validation, sterilization, and release evidence

Use this route if your weakness is execution on the floor: work instructions, validation records, special processes, cleanliness, traceability, product history, or release support.

Process Validation Collection Production, Process Validation & Sterilization System
Best for 7.6 + traceability gaps

Calibration, measurement control, traceability, and device file support

Use this route if acceptance decisions are at risk because of weak equipment control, incomplete traceability, labeling gaps, or poor medical device file structure.

Equipment & Calibration Collection Equipment & Calibration Management System Labelling, Traceability & Device File Collection

Clause 7 does not stand alone

Strong Clause 7 execution depends on linked risk management. If your risk controls are not flowing into design inputs, supplier oversight, validation logic, traceability, and release decisions, the system will still fail under sampling.

Risk Management & ISO 14971 Collection ISO 14971 Risk Management System Integrated ISO 13485 + ISO 14971 Pack

How auditors usually sample Clause 7

  1. Select one device, product family, or released lot and ask for the controlling evidence chain.
  2. Check whether customer and regulatory requirements were translated into controlled specifications and acceptance criteria.
  3. If design applies, sample design planning, inputs, outputs, V&V, transfer, and design changes.
  4. Move into supplier control and verify that critical purchased product or outsourced activities were evaluated and controlled proportionately to risk.
  5. Trace one build or batch through production records, validation evidence, traceability, and release support records.
  6. Challenge the credibility of the acceptance decision by checking equipment status, calibration evidence, and any out-of-tolerance handling logic.

Common Clause 7 failure patterns

Design transfer gap

Approved design outputs exist, but production is still running on uncontrolled or mismatched instructions, forms, labels, or specifications.

Supplier control that looks good on paper only

Suppliers are approved, but there is weak evaluation logic, poor re-evaluation, missing change notification controls, or weak verification of purchased product.

Validation that is incomplete or stale

Processes were validated once, but changes, new loads, new equipment, new software, or new configurations were never re-assessed properly.

Traceability that cannot execute under pressure

Records exist, but the team cannot quickly prove one-up or one-down trace, product status, or what exactly was released and on what basis.

Release decisions weakened by equipment issues

Measurement equipment, acceptance software, or calibration records are incomplete, outdated, or disconnected from the product release logic.

Clause 7 disconnected from Clause 8

Complaints, CAPA, post-market information, supplier issues, and production trends are not feeding back into design, validation, or process controls.

FAQ

What does ISO 13485 Clause 7 cover?

Clause 7 covers product realization: planning, customer-related processes, design and development where applicable, purchasing, production and service provision, validation, traceability, preservation, and control of monitoring and measuring equipment.

What part of Clause 7 fails most often in audits?

The most common failures are weak design transfer, cosmetic supplier approval, missing or stale process validation, traceability that cannot be executed under sampling, and release decisions supported by weak calibration or equipment records.

Do I need design controls if I do not design the device?

Not always in full, but you still need a defensible applicability decision. If you control specifications, labels, IFUs, performance claims, significant changes, or transfer logic, auditors will still test those interfaces closely.

When is process validation required under Clause 7.5.6?

Process validation is required where output cannot be fully verified by subsequent monitoring or measurement, or where defects may only become visible after use. That includes many special processes and many sterile-process workflows.

How does Clause 7 connect to ISO 14971 risk management?

Risk management should shape design inputs, supplier controls, validation decisions, traceability depth, release logic, and post-market change decisions. If those links are weak, Clause 7 will not hold up well in a serious audit.

Recommended Clause 7 systems

Start with the system that matches your weakest operational control. These four products map cleanly to the most commercially important Clause 7 gaps: design controls, supplier control, process validation, and calibration-backed release integrity.

View all

Need Clause 7 fixed end-to-end, not just explained?

If your team is standing up a new medical device QMS, repairing surveillance or certification findings, or tightening controls before scale, Clause 7 usually needs more than isolated templates. It needs a structure that links requirements, risk, suppliers, production, validation, traceability, and release decisions into one defendable operating system.

Use the product modules above if you know the exact gap. Use our consultancy services if you need Clause 7 designed, repaired, or integrated properly into the rest of your ISO 13485 system.

You can also review our proof, services, and pricing pages before reaching out.

Book a Conversation