This is not a basic clause summary page. It is a navigation layer for ISO 13485 Clauses 4–8 built around how audits actually work. Auditors rarely assess one clause in isolation. They move from management review to CAPA, from complaint handling to risk updates, from document control to training, and from product realization to monitoring, release, and nonconformance.
Use this page to do three things fast: identify the clause under pressure, pull the record families that prove control, and jump into the matching system, toolkit, collection, or service page that helps you close the gap properly.
If an auditor names a clause, use the clause map below to open the matching page and pull the exact evidence families that should already exist.
Do not stop at one record. Good audits test linkage across document control, training, complaints, CAPA, risk management, management review, supplier controls, and product release.
Once you know where control is weak, jump straight to the matching product, collection, or service page so the gap is closed at system level, not patched with one-off documents.
Clause navigation
Use this section when an auditor names a clause, when leadership asks what is missing, or when you need the fastest route from requirement to records, linked processes, and remediation tools.
Use this when the problem sits in QMS structure, process interaction, medical device files, document approvals, obsolete documents, record retention, or software used in the QMS.
Use this when the gap is not paperwork but leadership control: weak objectives, weak internal communication, missing review cadence, or management review outputs that never drive action.
Use this when the system fails because the right people, training, equipment, environment, or contamination controls are not consistently defined, delivered, or evidenced.
Use this when the evidence chain breaks across planning, requirements, design controls, supplier management, production control, validation, traceability, release, or measuring equipment.
Use this when the pressure sits in feedback, complaints, regulatory reporting, internal audit, monitoring and measurement, nonconforming product, analysis of data, CAPA, preventive action, or risk-linked improvement.
Use the product links above if you want a self-serve system. If you want implementation help, audit preparation, remediation, or a broader build-out, move straight into services, pricing, proof, or contact.
Use this map to understand what the clause is really testing, which records auditors usually sample, and which system pages or products help you close the weakness instead of just reacting to the finding.
| Area | What auditors are really testing | Typical records sampled | Best-fit system or collection |
|---|---|---|---|
| 4.1 General requirements | Whether the QMS is defined as an operating system with controlled process interaction, outsourced controls, change control, and validated software where applicable. | QMS scope, process map, software validation records, process change requests, outsourced process oversight. | QMS Software Validation System QMS Core Bundle |
| 4.2.1–4.2.2 Controlled documentation and quality manual | Whether the minimum documented system exists, is approved, and actually governs operations. | Quality manual, policy and objectives, procedure matrix, document approvals, revision history. | Document Control System Bundle Document Control Collection |
| 4.2.3 Medical device file | Whether product-specific files actually contain or point to the records required to demonstrate conformity. | Medical device file index, specifications, labelling, IFU, manufacturing and monitoring procedures. | Labelling & Medical Device File Pack |
| 4.2.4–4.2.5 Document and record control | Whether the organization can prevent uncontrolled documents, retain records for the right period, retrieve them fast, and protect confidentiality where relevant. | Master document list, external document register, obsolete document archive, retention schedule, audit trail of record changes. | Document Control System Bundle Free Master Document List Template |
| Area | What auditors are really testing | Typical records sampled | Best-fit system or collection |
|---|---|---|---|
| 5.1–5.2 Management commitment and customer focus | Whether top management actively governs the QMS and turns customer and regulatory requirements into decisions, priorities, and resources. | Resource approvals, requirement review records, complaint and feedback summaries, regulatory communication logs. | Founder & CEO Governance Execution Pack |
| 5.3–5.4 Policy, objectives and planning | Whether policy and objectives are controlled, measurable, and tied to QMS planning and change control. | Policy approvals, objectives register, KPI reviews, QMS planning logs, change impact assessments. | Management Review Dashboard Kit Management Review Collection |
| 5.5 Responsibility, authority and communication | Whether ownership is clear and quality signals move through the business fast enough to drive control. | Org chart, role descriptions, appointment records, escalation logs, internal quality meeting minutes. | QMS Core Bundle |
| 5.6 Management review | Whether management review is a real decision forum that consumes required inputs and produces tracked outputs. | Review agenda, input pack, meeting minutes, output tracker, prior action follow-up, resource decisions. | Founder & CEO Governance Execution Pack Dashboard Kit |
| Area | What auditors are really testing | Typical records sampled | Best-fit system or collection |
|---|---|---|---|
| 6.1 Provision of resources | Whether the organization deliberately provides people, equipment, budget, and infrastructure required to meet product and regulatory requirements. | Resource plans, hiring approvals, equipment purchases, maintenance or calibration budget approvals. | QMS Core Bundle |
| 6.2 Human resources | Whether competence is defined, training is delivered, and effectiveness is checked proportionate to risk. | Training matrix, competence criteria, training records, effectiveness checks, experience records. | Training & Competence Kit ISO 13485 Training Library Bundle |
| 6.3 Infrastructure | Whether infrastructure and maintenance prevent product mix-up, loss of control, or unreliable results. | Maintenance schedules, equipment inventory, IT qualification, access control, infrastructure maintenance records. | Equipment & Calibration Management System |
| 6.4 Work environment and contamination control | Whether environmental conditions, hygiene, special controls, and contamination prevention are defined and sustained. | Environmental logs, cleaning records, gowning records, contamination investigations, zoning controls. | Production, Process Validation & Sterilization System |
| Area | What auditors are really testing | Typical records sampled | Best-fit system or collection |
|---|---|---|---|
| 7.1–7.2 Planning and customer-related processes | Whether requirements are captured, reviewed, translated into controls, and changed under discipline. | Product realization plans, requirement registers, review approvals, customer communication logs. | QMS Core Bundle |
| 7.3 Design and development | Whether design controls produce a defendable chain from inputs to outputs to review, verification, validation, transfer, and design change control. | Design plan, DHF index, design review records, V&V evidence, transfer records, change impact assessments. | Design Controls Execution System Design Controls Collection |
| 7.4 Purchasing and outsourced processes | Whether supplier risk is understood and converted into qualification, monitoring, incoming acceptance, and corrective action. | Supplier evaluations, approved supplier list, quality agreements, incoming inspection, supplier CAPA or SCAR evidence. | Supplier Control System Supplier Control Collection |
| 7.5–7.6 Production, validation, traceability and equipment | Whether controlled production, validated special processes, traceability, preservation, and measuring equipment control protect release decisions. | Batch or DHR packets, validation protocols and reports, traceability records, storage condition logs, calibration certificates. | Production, Process Validation & Sterilization System Equipment & Calibration Management System |
| Area | What auditors are really testing | Typical records sampled | Best-fit system or collection |
|---|---|---|---|
| 8.2.1–8.2.3 Feedback, complaints and regulatory reporting | Whether market signals are captured, triaged, investigated, and escalated appropriately into reporting, correction, CAPA, and risk updates. | Feedback logs, complaint files, reportability decisions, regulatory communications, field action records. | Complaint & Feedback Handling Kit Complaint to CAPA to Risk Update Pack |
| 8.2.4–8.2.6 Internal audit, process monitoring and product monitoring | Whether monitoring systems detect loss of control and whether internal audits are producing real findings, CAPA, and verified closure. | Audit program, audit plans, reports, KPI dashboards, inspection and release records, product monitoring records. | Internal Audit System Monitoring & Measurement of Product Toolkit |
| 8.3–8.4 Nonconforming product and analysis of data | Whether the business can contain product issues, make sound disposition decisions, and use trend analysis to detect systemic problems. | NCR logs, concession records, rework records, trend dashboards, data summaries, management review analysis inputs. | Data Analysis & Management Review Dashboard Kit |
| 8.5 CAPA and preventive action | Whether the organization can identify true root cause, implement action without adverse effects, verify effectiveness, and update risk where required. | CAPA intake, investigation, root cause analysis, action plans, implementation evidence, effectiveness checks, risk updates. | CAPA Toolkit ISO 14971 Risk Management System |
These are the cross-process evidence chains auditors commonly follow when they want to know whether the QMS is genuinely operating.
If management review inputs exclude complaint trends, CAPA status, or risk-linked outcomes, the governance layer is weak even if the meeting happened on time.
A controlled procedure is not enough. Auditors look for the current revision at point of use, training to the current version, and records generated under the right revision state.
If supplier problems exist, auditors often check whether the same issue appears in incoming inspection, nonconforming product, supplier corrective action, and management review.
Strong design records should flow into transfer, process validation where needed, release criteria, and post-market or complaint signals if real-world performance shifts.
Use this as a fast ownership and linkage view when teams are unsure what should exist and which process needs to connect to which one.
| Record family | Typical owner | What it should link to | Best-fit system |
|---|---|---|---|
| Master document list and document approvals | Quality | Training, process changes, management review decisions | Document Control System Bundle |
| Management review minutes and action tracker | Top management / management representative | Complaints, CAPA, audits, KPIs, resource decisions | Governance Pack |
| Training matrix and competence evidence | Quality / HR / process owners | Document revisions, role definitions, process qualification | Training & Competence Kit |
| DHF or design control file | R&D / engineering / QA | Risk management, transfer, V&V, change control | Design Controls Execution System |
| Supplier qualification and performance records | Supplier quality / purchasing | Incoming verification, NCR, SCAR, risk updates | Supplier Control System |
| Internal audit program, reports and closure evidence | Internal audit lead / QA | CAPA, management review, process effectiveness | Internal Audit System |
| Complaint, NCR and CAPA records | QA / PMS / process owner | Reportability, corrections, effectiveness checks, risk updates | Complaint to CAPA to Risk Update Pack |
| Process and product monitoring records | QA / operations | Release decisions, trend analysis, management review | Monitoring & Measurement of Product Toolkit |
Controlled documents, master lists, training evidence, record control, and core QMS support documents.
Governance, management review inputs and outputs, dashboards, KPIs, and decision-tracking tools.
Clause 6.2 support for competence criteria, training rollout, awareness, and effectiveness checks.
Design planning, DHF structure, review, verification, validation, transfer, and change control tools.
Internal audit planning, execution, reporting, closure evidence, and audit-readiness support.
Complaint handling, CAPA, vigilance, post-market response, and linked improvement tools.
Clauses 4–8 cover the operating core of an ISO 13485 quality management system: the QMS and documentation framework, management responsibility, resources, product realization, and measurement/analysis/improvement. In practice, these clauses are where most audit evidence lives because they show how the system is actually run day to day. Use this hub to jump into the dedicated clause pages and then pull the linked record families, not just the clause wording.
Audit evidence is not a policy statement or a promise that something happens. It is approved, attributable, dated, retrievable proof that the process operated. That usually means records: approvals, logs, review minutes, training records, complaint investigations, CAPA files, internal audit reports, release records, and linked risk updates. Procedures explain intent. Records prove control.
Auditors usually sample the master document list, document approvals, revision history, obsolete document controls, external document controls, and evidence that the current version is what people actually use. They also look for linkage to training when revised procedures change operational requirements.
They usually look for retention rules, storage and retrieval logic, controlled changes to records, security and integrity where needed, and evidence that records can be found quickly. In medical-device systems, they often jump from record control to training records, complaint files, CAPA, batch or release packets, and audit records. Weak retention logic is a common failure point because it breaks traceability fast.
CAPA is one of the main closure mechanisms in Clause 8. It converts signals from complaints, audits, monitoring, nonconformances, supplier issues, and trend analysis into structured investigation, root cause, action, verification, and effectiveness checks. A CAPA process that does not connect to management review and risk updates is usually incomplete.
Complaint handling should not stop at intake and investigation. Trends, serious investigations, repeat events, and systemic failures should feed CAPA when the issue is bigger than one isolated case. Strong systems also connect complaints to reportability decisions, corrections, advisory actions, and risk management review where applicable. That linkage is one of the first things auditors test when complaints exist.
Feedback is one of the fastest ways to detect whether assumptions in the risk file still hold in real-world use. If post-market feedback, complaints, or product monitoring show new hazardous situations, frequency shifts, or control failures, the risk file should be reviewed and updated. A system that collects feedback but never reconsiders risk is not closed-loop.
Because management review is supposed to be the place where quality signals become management decisions. If complaint trends, audit results, monitoring data, CAPA status, and regulatory changes are not flowing into management review, leadership is not actually governing the QMS. Auditors care less about the calendar invite and more about the quality of inputs, outputs, decisions, and action follow-up.
Having procedures that look clean on paper but cannot be supported by current, linked records. Common examples are uncontrolled documents in use, missing training effectiveness checks, weak supplier files, complaint investigations with no escalation logic, CAPA without root cause discipline, and management review that does not consume the required inputs. The failure is usually not one bad form. It is broken linkage across the system.
Start with the clause being challenged. Open the linked clause page. Pull the record families listed in the evidence map. Then verify the upstream and downstream systems that should already connect to that clause, such as training, CAPA, management review, risk, supplier controls, or release evidence. This page works best as a live navigation tool, not as passive reading material.
Use the product and collection links on this page if you want a faster self-serve route. If you want implementation support, audit preparation, remediation, or a broader QMS build-out, move straight into services and pricing.
