Training and Competence under ISO 13485

A few weeks ago, I issued a poll on LinkedIn to my connections and followers on topics they would like to see feature in the Comply Guru Blog Series.

Imagine my surprise when the majority vote went to Training and Competence, or as us Quality Folks know it, Clause 6.2 of ISO 13485 (2016) – Human Resources, a sub clause of Clause 6 – Resource Management.

Yes, you read that right, Resource Management.  Let’s go and get to grips with Training and Competence as they exist in ISO 13485.

What are considered Resources under ISO 13485?

Just like the equipment, tools, hardware, software, utilities and facilities required by any organization and Quality Management System (QMS), People are also viewed as a resource to a QMS established and implemented to the requirements of ISO 13485 – It’s in the name “Human Resources” aka People as Resources.

But Resources and their requirements are not exclusive to Clause 6, of course not, that would make no sense.  Because, you see, the processes of the standard are inter-related, and the use of the process flow diagram will show the relationships that exist between those processes of ISO 13485.

Moreover, someone must be ultimately responsible for those resources and have authority over decisions impacting those resources.  Lest we forget, responsibilities and authorities are not the same thing – but that discussion is for another day, and possibly another blog.

But let me tell you something – the requirements around responsibilities and authorities as outlined at Clause 5.5.1 are an area that I see many non-conformances raised during auditing.  But I divagated.

Responsibility and Authority of Resources

Who is responsible and has authority for all these resources and where can this be pinpointed in ISO 13485?

Well, let’s take a wander to Clause 5.1e which makes it a mandatory requirement that Top Management ensure the availability of resources.  This requirement is further cemented in importance at Clause 5.6.3d as part of the Management Review Output where output from the Management Review must include any decisions or actions related to resource needs.

So, you see, Resources are considered as integral a part of the QMS as any other part, if not one of the most important parts of the QMS.  The absence of adequate resources will result in a failing QMS.  But it doesn’t end here.

ISO 13485 and Resources

Consider Clause 7.3.2f – Design and Development Planning which mandates that during D&D planning the organization must document “the resources needed including necessary competence of personnel” and let’s jump to Clause 7.4.2c that’s requires that when organizations are collating purchasing information, they are required to document the requirements for qualification of supplier personnel.

Given the extent of the role played by suppliers in the QMS, you can see where ensuring the competence of the suppliers into that very QMS cannot go undervalued.

For example, where organizations outsource Calibration processes, you want to make sure that the folks performing any calibration activity in the scope of your QMS are trained and competent to do so and have the evidence to support their claims of training and competence.

Another lens to frame the approach of supplier training and competence is where organizations outsource a process such as manufacturing or packaging and labelling.

Outsourcing does not remove the process from the scope of the organization’s QMS, and in some cases, organizations may train outsourced suppliers to their own processes that align with the activities outsourced and maintain records of the training as a requirement of Clause 6.2e.

Which brings me nicely back to the origins of Training and Competence in ISO 13485.

Clause 6.2 – Human Resources

But, what of Clause 6.2?

Well, let’s recognize that in ISO 13485 Human Resources is a departure from what we would normally associate with the traditional function of “HR” in an organization.

Firstly, when we look at the Plan, Do, Check, Act cycle, we must recognize that the requirements of Clause 6 fall into the Planning Phase of the QMS, meaning that Clause 6.2 is related to the planning of resources.

Secondly, the planning phase includes how the organization will demonstrate, by documentation, the processes for establishing competence, how they intend to provide training needed by personnel and ensuring awareness of personnel.

Thirdly, when organizations have provided training, whether internally, or using an external training source, they must check the effectiveness of this training.  Be it by a quiz, or shadow/observation training, the organization must ensure that the training provided is effective and that the training will positively impact on the quality of the end product and ensure the continued integrity of the QMS.

Finally, risk plays a part in training and competence requirements as proclaimed by that all too familiar wording captured in the note at the very end of Clause 6.2.

The method used to check effectiveness of the training provided must be “proportionate to the risk associated with the work for which the training or other action is being provided”.

The higher the risk to the end product or the QMS presented by the interaction of the person performing the activity associated with the manufacturing phase they are responsible for in the product realization or the part they play in the QMS, the more detailed the effectiveness check should be related to the training and competence provided by the organization.

A good example is auditor training.

Often times organizations will have an audit management training program as an internalized effort on their part in their training system.  But does full confidence exist that when these training records of internal auditors are presented to an external auditor that they will carry muster?

I can tell you, it probably will not.

I recently performed an audit where an auditor had no records on file to demonstrate their auditing experience and could not produce an audit log to support their claims of auditor competence.

For full context, they were responsible for the auditing requirements of the QMS for the organization.  Their only defense was that they had trained to the internal procedures for auditing.  Not good enough I am afraid.  “Read and Understand” of an internal procedure does not an auditor make.  So sometimes it is worth exploring external certified training to support your QMS in an audit.

Changes and Training

What happens when changes occur in the QMS.

Change management is captured in a number of areas of the standard.  Clause 4.1.4 is related to changes in a process, Clause 5.4.2b talks to system or bigger changes to the QMS and finally Clause 7.3.9 is all about changes to the product.

There we have it, the holy trinity of change – Process, QMS and Product.

Remember earlier when I mentioned the relationships that exist between processes, well sit back and let me take you away on an adventure.

Although changes are mentioned in three different sections of the standards representing different types of changes, it doesn’t change the fact that regardless of changes, organizations are required to “provide training or take other actions to achieve or maintain the necessary competence” – Clause 6.2b.

It therefore stands to reason that any change to a process, the QMS or the product itself must be assessed for impact on training requirements to make sure every person’s competence is MAINTAINED.

Changes equals Training, it is a symbiotic relationship.  Where one exists so does the other.

The chronological order which these activities follow must also be balanced.

For example, if you update a document that becomes effective on application of the final approval signature to that change, organizations are potentially creating a two-tier level of training and competence in the organization.  Some people will have trained to the update, others will not and may not for months unless the training is tracked, meaning they are working to a previous version of the procedure.

The change must be approved as per the appropriate channels, then must be put on a training period to ensure awareness of personnel and ensure people have the chance to train to the update before the change becomes effective, and thus standardizing everyone’s training.

This training period can vary dependent on the size of the organization and range from 2 days for smaller organizations up to 10 days for larger organizations.

It’s not lost on me that organizations have systems that remove obsolete versions of documents so that they can’t be viewed, but that should not be considered a fail-safe.

Again, we see that relationship with another part of the standard, Clause 4.2.4d which ensures that the “relevant versions of applicable documents are available at points of use”.  Which leads me to my next point.

Record Keeping

Clause 6.2e requires that organizations “maintain appropriate records of education, training, skills and experience” and as with any record in the scope of an ISO 13485, these records must be maintained as per the requirements defined at Clause 4.2.5.

There’s that relationship again! Where you see 4.2.5 encased in those brackets against a clause, it represents a record, and records are evidence.

Let me assure you of one certainty when it comes to an audit situation – you want to make sure your records are kept up to date.

They represent not only your organization, but also your product.

And this claim of mine is supported by the standard requirements which states that “Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system”.

Given that each QMS is tailor made for the organization and its product, failure to maintain records will lead to failure overall.

Now, take a moment to consider failure in maintaining training records.  See how that can impact on the QMS and the product itself? Sit with that for a moment…I know right….Scary!

Clause 4.2.5 also requires that organizations retain the records for at least the lifetime of the medical device.  How does this relate to training?

Come on now, we all sign our name at least 100 times a day.  We must all remember the importance of that signature and what it represents.  We all casually apply or signature to our training records stating that we have read and understood the training, don’t we?

It also makes traceability easy at each step in the product realization back to the individual involved.

When things go wrong, what do you think is one of the first things that is checked?

Was the person trained and competent to perform the activity in relation to their involvement in the step in manufacturing the product.  Organizations better light a candle at that stage and pray to whatever God they believe in that the records reflect a fully trained and competent individual!

There we have it folks, my thoughts on Clause 6.2 Human Resources.  On reflection of your own organization and your own training, how confident are you that you truly satisfy the requirements of ISO 13485?

I hope you enjoyed this instalment in the series and found it useful and until next time, Stay Conforming and Compliant!