CEN ISO/TR 14969:2005

SLOVENSKI STANDARD
01-januar-2010
0HGLFLQVNLSULSRPRþNL6LVWHPLYRGHQMDNDNRYRVWL1DYRGLOD]DXSRUDER,62
,6275
Medical devices - Quality management systems - Guidance on the application of ISO
13485:2003 (ISO/TR 14969:2004)
Medizinprodukte - Qualitätssicherungssysteme - Anleitungen zur Anwendung von ISO
13485:2003 (ISO/TR 14969:2004)
Dispositifs médicaux - Systèmes de gestion de qualité - Lignes directrices pour
l'application de l'ISO 13485:2003 (ISO/TR 14969:2004)
Ta slovenski standard je istoveten z: CEN ISO/TR 14969:2005
ICS:
03.120.10 Vodenje in zagotavljanje Quality management and
kakovosti quality assurance
11.040.01 Medicinska oprema na Medical equipment in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN ISO/TR 14969
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2005
ICS 11.040.01; 03.120.10
English version
Medical devices - Quality management systems - Guidance on
the application of ISO 13485:2003
Dispositifs médicaux - Systèmes de gestion de qualité -
Lignes directrices pour l'application de l'ISO 13485:2003

This Technical Report was approved by CEN on 3 March 2005. It has been drawn up by the Technical Committee CEN/CLC/WG QS.

CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2005 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TR 14969:2005 E
worldwide for CEN national Members.

Foreword
The text of ISO/TR 14969:2004 has been prepared by Technical Committee ISO/TC 210 “Quality
management and corresponding general aspects for medical devices”. The transposition into a CEN
ISO/TR 14969 has been managed by the CEN/CENELEC Co-ordinating Working Group on quality
supplements for medical devices (CEN/CLC/CWG QS) the Secretariat of which is held by DIN in
collaboration with the CEN Management Centre (CMC).
With the publication of CEN ISO/TR 14969:2005 the following standards became obsolete and shall
be withdrawn:
* EN 724:1994 .Guidance on the application of EN 29001 and EN 46001 and of EN 29002 and
EN 46002 for non-active medical devices.,

* EN 928:1995 .In vitro diagnostic systems - Guidance on the application of EN 29001 and EN
46001 and of EN 29002 and EN 46002 for in vitro diagnostic medical devices.

* EN 50103:1995 .Guidance on the application of EN 29001 and EN 46001 and of EN 29002
and EN 46002 for the active (including active implantable) medical device industry."

It should be noted that the above-mentioned European standards which are not replaced by CEN
ISO/TR 14969:2005, were harmonized under the European Medical Devices Directives (90/385/EEE,
93/42/EEC and (98/79/EC). CEN ISO/TR 14969:2005 is not proposed for harmonization and so does
not provide a presumption of conformity with regard to these European Directives.
TECHNICAL ISO/TR
REPORT 14969
First edition
2004-10-15
Medical devices — Quality management
systems — Guidance on the application
of ISO 13485:2003
Dispositifs médicaux — Systèmes de gestion de qualité — Lignes
directrices pour l'application de l'ISO 13485:2003

Reference number
ISO/TR 14969:2004(E)
©
ISO 2004
ISO/TR 14969:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
Contents Page
Foreword. iv
Introduction . v
0.1 General. v
0.2 Process approach. v
0.3 Relationship with other standards, guidance documents and regulatory requirements. vii
0.4 Compatibility with other management systems . viii
1 Scope. 1
1.1 General. 1
1.2 Application. 1
2 Normative references . 2
3 Terms and definitions. 2
4 Quality management system . 3
4.1 General requirements. 3
4.2 Documentation requirements . 4
5 Management responsibility. 9
5.1 Management commitment. 9
5.2 Customer focus. 10
5.3 Quality policy. 10
5.4 Planning . 11
5.5 Responsibility, authority and communication. 13
5.6 Management review. 14
6 Resource management. 17
6.1 Provision of resources . 17
6.2 Human resources. 17
6.3 Infrastructure. 19
6.4 Work environment. 19
7 Product realization. 22
7.1 Planning of product realization . 22
7.2 Customer-related processes . 25
7.3 Design and development. 27
7.4 Purchasing. 36
7.5 Production and service provision. 39
7.6 Control of monitoring and measuring devices . 49
8 Measurement, analysis and improvement. 51
8.1 General. 51
8.2 Monitoring and measurement. 52
8.3 Control of nonconforming product . 56
8.4 Analysis of data. 58
8.5 Improvement. 58
Annex A (informative) Terms used in certain regulatory administrations to describe documents
referenced in this Technical Report. 64
Annex B (informative) Analysis of significant changes from ISO 13485:1996 to ISO 13485:2003. 65
Bibliography . 73

ISO/TR 14969:2004(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard ("state of the art", for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this Technical Report may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 14969 was prepared by Technical Committee ISO/TC 210, Quality management and corresponding
general aspects for medical devices.
NOTE ISO/TC 210/WG1 is prepared to accept questions and comments related to the content of ISO 13485:2003
and/or ISO/TR 14969:2004. Please address all such questions and comments to the ISO/TC 210 secretariat at:
hwoehrle@aami.org. These questions and comments will be considered for development of additional guidance in the
application of ISO 13485:2003 either by revision of ISO/TR 14969 or the development of a “Frequently Asked Questions”
document. You will not receive a response to your questions or comments, however, they will be considered for future use
as noted above.
This first edition of ISO/TR 14969 cancels and replaces ISO 14969:1999, which has been technically revised.
Throughout this Technical Report, when the text of ISO 13485 is directly quoted, it appears enclosed in boxes
prefaced by: “ISO 13485:2003, Medical devices — Quality management systems — Requirements for
regulatory purposes”.
iv © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
Introduction
0.1 General
0.1.1 This Technical Report provides guidance to assist in the development, implementation and
maintenance of quality management systems that aim to meet the requirements of ISO 13485 for
organizations that design and develop, produce, install and service medical devices, or that design, develop
and provide related services. It provides guidance related to quality management systems for a wide variety of
medical devices and related services. Such medical devices include active, non-active, implantable and non-
implantable medical devices and in vitro diagnostic medical devices.
ISO 13485 specifies the quality management system requirements for medical devices for regulatory
purposes (see Annex A). ISO 13485 accommodates the previous ISO 13488 by permissible exclusion as
specified in ISO 13485:2003, 1.2.
When judging the applicability of the guidance in this Technical Report, one should consider the nature of the
medical device(s) to which it will apply, the risk associated with the use of these medical devices, and the
applicable regulatory requirements.
As used in this Technical Report, the term “regulatory requirement” includes any part of a law, ordinance,
decree or national and/or regional regulation applicable to quality management systems for medical devices
and related services.
This Technical Report provides some approaches that an organization can use to implement and maintain a
quality management system which conforms with ISO 13485. Alternative approaches can be used if they also
satisfy the requirements of ISO 13485.
0.1.2 The guidance given in this Technical Report is applicable to the design, development, production,
installation and servicing of medical devices of all kinds. It describes concepts and methods that can be
considered by organizations which are establishing and maintaining quality management systems.
An organization can voluntarily incorporate guidance from this Technical Report, wholly or in part, into its
quality management system.
0.1.3 Guidance contained in this Technical Report can be useful as background information for those
representing quality management system assessors, Conformity Assessment Bodies and regulatory
enforcement bodies.
The guidance contained in this Technical Report is not to be used for identifying specific deficiencies of quality
management systems, unless such guidance is voluntarily incorporated by the organization into the
documentation describing and supporting the organization’s quality management system, or unless such
guidance is specifically made part of the regulatory requirements relevant to the organization’s operation.
0.2 Process approach
ISO 13485 promotes the adoption of a process approach when developing, implementing and improving the
effectiveness of a quality management system, with the objective of meeting customer and regulatory
requirements, and providing medical devices that meet customer and regulatory requirements.
For an organization to function effectively, it has to identify and manage numerous linked activities. An activity
using resources, and managed in order to enable the transformation of inputs into outputs, can be considered
as a process. Often the output from one process directly forms the input to the next.
ISO/TR 14969:2004(E)
The application of a system of processes within an organization, together with the identification and
interactions of these processes, and their management, can be referred to as the “process approach.”
An advantage of the process approach is the ongoing control which it provides over the linkage between the
individual processes within the system of processes, as well as over their combination and interaction.
If used within a quality management system, such an approach emphasizes the importance of
 understanding and meeting requirements,
 considering processes in terms of added value,
 obtaining results of process performance and effectiveness, and
 improving processes based on objective measurement.
The model of a process-based quality management system shown in Figure 1 illustrates the process linkages
presented in ISO 13485:2003, Clauses 4 to 8. This illustration shows that customers and regulatory authorities
play a significant role in defining requirements as inputs. Monitoring of customer feedback requires the
evaluation of information relating to whether the organization has met the customer requirements. The model
shown in Figure 1 covers all the requirements of ISO 13485, but does not show processes at a detailed level.

Figure 1 — Model of a process-based quality management system
vi © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes. PDCA
can be briefly described as follows.
Plan: establish the objectives and processes necessary to deliver results in accordance with customer
requirements and the organization’s policies.
Do: implement the processes.
Check: monitor and measure processes and product against policies, objectives and requirements for
the product and report the results.
Act: take actions to improve process performance.
0.3 Relationship with other standards, guidance documents and regulatory requirements
The relationship between ISO 13485, this Technical Report and the general standards for quality
management systems (ISO 9001 and ISO 9004) is summarized as follows.
a) This Technical Report provides guidance on the application of ISO 13485.
b) ISO 13485 specifies requirements for quality management systems in order to achieve regulatory
compliance in the medical devices industries. It follows the format, structure and process approach of
ISO 9001. It differs from ISO 9001 in that it specifies additional requirements but does not include the
explicit requirements for continual improvement and customer satisfaction.
c) ISO 9001 is an International Standard for quality management systems in general.
d) ISO 9004 gives guidance on a wider range of objectives of quality management systems than does this
Technical Report, particularly for the continual improvement of an organization’s overall performance and
efficiency, as well as its effectiveness. ISO 9004 is suitable as a guide for organizations whose top
management wishes to move beyond the requirements of ISO 13485, in pursuit of continual performance
improvement and customer satisfaction. However, it is not intended for certification or for contractual
purposes.
ISO 13485 includes those generic quality management system requirements contained in ISO 9001 that are
relevant to a regulated organization that designs and develops, produces, installs and/or services medical
devices, or which designs and develops and provides related services. This Technical Report, however, does
not set out to provide specific guidance with respect to these generic quality management system
requirements which are common to both ISO 13485 and ISO 9001. Guidance on ISO 9001 can be found, for
example, in the ISO brochure, ISO 9001 for Small Businesses – What to do, and in ISO 9000 Introduction and
Package module.
Guidance provided in this Technical Report has taken into consideration requirements and guidance
contained in documents from the following organizations:
 Global Harmonization Task Force (GHTF);
 International Organization for Standardization (ISO);
 European Committees for Standardization (CEN and CENELEC);
 national regulatory bodies.
Many of these documents are listed in the Bibliography.
ISO/TR 14969:2004(E)
0.4 Compatibility with other management systems
Conformance to ISO 13485 quality management system requirements does not automatically constitute
conformity with national or regional regulatory requirements. It is the organization’s responsibility to identify
and establish compliance with relevant regulatory requirements.

viii © ISO 2004 – All rights reserved

TECHNICAL REPORT ISO/TR 14969:2004(E)

Medical devices — Quality management systems — Guidance
on the application of ISO 13485:2003
1 Scope
1.1 General
This Technical Report provides guidance for the application of the requirements for quality management
systems contained in ISO 13485. It does not add to, or otherwise change, the requirements of ISO 13485.
This Technical Report does not include requirements to be used as the basis of regulatory inspection or
certification assessment activities.
NOTE The terms “should”, “can” and “might” within this Technical Report are used as follows. “Should” is used to
indicate that, amongst several possibilities to meet a requirement in ISO 13485, one is recommended as being particularly
suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required.
“Can” and “might” are used to indicate possibilities or options. These terms do not indicate requirements.
This guidance can be used to better understand the requirements of ISO 13485 and to illustrate some of the
variety of methods and approaches available for meeting the requirements of ISO 13485.
1.2 Application
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
ISO/TR 14969:2004(E)
1.2.1 General
Certain product realization requirements of ISO 13485 can legitimately be omitted in one of two ways: they
can be “excluded”, or they might be “not applicable”. It is important to note, however, that any exclusion or
non-applicability should be detailed and justified in the organization’s quality manual.
1.2.2 Exclusions
Some regulatory requirements permit organizations to place some medical devices on the market without
having to demonstrate conformance with design and development controls (see ISO 13485:2003, 7.3).
Organizations should determine the exclusion of 7.3 on a product-by-product, market-by-market basis.
Even if the organization is permitted by regulations to exclude the requirements of 7.3, it still has obligations to
meet product realization requirements of ISO 13485:2003, 7.2, 7.4 and 7.5 and 7.6.
1.2.3 Non-applicability
ISO 13485 provides for the organization to omit from its quality management system those product realization
requirements that are not applicable due to the nature of the medical device.
For example, an organization providing single-use, sterile medical devices does not need to include within its
quality management system elements related to installation and servicing. Similarly, an organization providing
non-sterile medical devices does not need to include the elements related to sterilization.
It is important for the organization to review carefully all the requirements of ISO 13485:2003, Clause 7, in
order to identify those requirements that do apply to functions performed by the organization. Once those
requirements are identified, the organization is obliged to comply with ISO 13485:2003, 7.1, and to perform
the planning associated with identified product realization requirements.
EXAMPLE An organization intends
 to place its own label on a medical device designed and developed, produced, and serviced by suppliers outside its
quality management system, and to market this medical device,
 to communicate with customers who have purchased the medical device, and
 to have systems in place for receiving customer complaints.
Even though the organization does not perform design and development activities itself, it cannot consider 7.3 to be
non-applicable. It still has obligations to meet the requirements of 7.3, unless relevant regulations permit an exclusion.
Once the organization identifies those requirements, it is obliged under 7.1 to plan for the quality management system
processes needed to meet those requirements.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 9000:2000, Quality management systems — Fundamentals and vocabulary
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory purposes
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9000 and ISO 13485 apply.
NOTE The terms provided in Annex A should be regarded as generic, as definitions provided in national regulatory
requirements can differ.
2 © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
4 Quality management system
4.1 General requirements
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
4.1.1 An element of managing an organization is the implementation and maintenance of an effective
quality management system that is designed to enable an organization to provide medical devices that meet
customer and regulatory requirements.
The organization can maintain the effectiveness of its established quality management system through a
range of activities, such as
 internal audits,
 management review,
 corrective and preventive actions, and
 independent external assessments.

ISO/TR 14969:2004(E)
4.1.2 Maintaining the effectiveness of the quality management system in its ability to meet customer and
regulatory requirements will typically involve the organization responding effectively to external factors, such
as
 changes in regulatory requirements, including adverse event reporting, and
 customer feedback,
and internal changes, such as changes to
 key personnel,
 facilities,
 manufacturing processes and equipment, including related software,
 software related to the quality management system, and
 product, including software.
4.1.3 Examples of activities to maintain an effective quality management system include
 defining and promoting processes which lead to achieving regulatory compliance,
 acquiring and using process data and information on a continuing basis,
 determining and providing resources, including human and information system resources,
 directing necessary changes to the quality management system, and
 using suitable evaluation methods such as internal audits and management reviews.
For guidance on activities related to outsourced processes, see 7.4.1.
4.2 Documentation requirements
4.2.1 General
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
4 © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
4.2.1.1 Documented quality management system procedures are required for applicable requirements of
ISO 13485 and should be consistent with the organization’s quality policy. It is important to recognize that the
structure and level of detail required in these procedures should be tailored to the needs of the organization,
which in turn are dependent on the methods used and the skills and qualifications of the organization’s
personnel performing the activities in question (see also 6.2.2).
Procedures or instructions may be presented in text, graphic or audio-visual form. Frequently a simple set of
pictures can convey the requirements more accurately than a lengthy detailed description.
4.2.1.2 Documented procedures, including work instructions and flowcharts, should be stated simply,
unambiguously and understandably, and should indicate methods to be used and criteria to be satisfied.
These procedures typically define activities and describe
 what is to be done, and by whom,
 when, where and how it is to be done,
 what materials, equipment and documents are to be used,
 how an activity is to be monitored and measured, and
 what records are required.
4.2.1.3 Documentation should be evaluated with respect to the effectiveness of the quality management
system against criteria, such as
 functionality,
 human interfaces,
 resources required,
 policies and objectives, and
 interfaces used by the organization’s customers and suppliers.
4.2.1.4 The file for each type or model of medical device referred to in ISO 13485:2003, 4.2.1 is
sometimes referred to by different terms (see Annex A, section B). This file can contain, or give reference to
the location of, documentation relevant to the manufacture of that product. Examples of such documentation
include
 specifications for raw materials, labelling, packaging materials, sub-assemblies and medical devices,
 parts lists,
 engineering drawings,
 software programs, including source code (if available),
 work instructions, including equipment operation,
 sterilization process details, if applicable,
 quality plans,
 manufacturing/inspection/test procedures, and
 acceptance criteria.
ISO/TR 14969:2004(E)
4.2.1.5 The documentation referred to in ISO 13485:2003, 4.2.1 forms part of the quality management
system and should be subject to document and record control procedures (see 4.2.3 and 4.2.4).
4.2.2 Quality manual
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
There is no specific guidance for this subclause of ISO 13485.
NOTE Additional information relating to quality manuals is available in ISO/TR 10013.
4.2.3 Control of documents
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
6 © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
4.2.3.1 The system established for the control of internal and external documents will, if appropriate
 assign responsibilities for preparation, approval and issue of documents,
 ensure prompt withdrawal of obsolete copies of controlled documents,
 define a method for recording the implementation date of a document change, and
 allow controlled and non-controlled documents to be distinguished.
The quality management system may also identify recipients of controlled copies of documents.
4.2.3.2 Documents may be reviewed at various times throughout the life of a document, for example, as
a result of
 facilities, personnel or organizational changes,
 audit activities,
 acquisitions,
 new products, technologies or software,
 a requirement of the organization's quality management system for periodic review.
4.2.3.3 Document control procedures can be assisted by the adoption of a consistent structure for the
documents within the quality management system. These procedures should clearly indicate what document
control information should be included in each document. Consideration should be given to the inclusion of
 title and scope,
 document reference number,
 date of issue/date effective,
 revision status,
 review date or review frequency, as required by the quality management system,
 revision history,
 originator or author,
 person(s) approving it,
 person(s) issuing it,
 distribution,
 pagination, and
 computer file reference, if applicable.
4.2.3.4 The topic of electronic documents is complex and evolving. National or regional regulations and
guidance documents might address requirements for the organization to establish documented procedures
specifically for control of electronic records. This may include, but is not limited to, access, storage,
reproducibility, readability, audit trails and electronic signatures, if appropriate.
4.2.3.5 Organizations are required by ISO 13485 to define the lifetime of each of their medical devices;
considerations for establishing the lifetime of the medical device are to be found in 7.1.
Document retention time should take into consideration
 period of time the medical device is expected to be in the market place,
 legal considerations including liability,
 need or advisability of keeping documents indefinitely,
 retention time of related records, and
 spare parts availability.
ISO/TR 14969:2004(E)
4.2.3.6 The organization should retain at least one copy of obsolete controlled documents for at least the
minimum period of time required by regulation. Obsolete documents should also be retained for as long as is
necessary to understand the content of records which are related to the document (see 4.2.4).
ISO 13485 requires the organization “to apply suitable identification” to obsolete documents; such
identification can be applied physically (as with a stamp) or electronically (as in a computerized database).
ISO 13485 recognizes that there might be specific regional or national regulatory requirements for the
retention of documents made obsolete by changes in medical devices or the quality management system. The
organization should determine whether any market that it supplies has such regulatory requirements and
should establish a system to ensure that such obsolete documents are retained for an appropriate period.
4.2.4 Control of records
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
4.2.4.1 Records can be considered as falling into one of three categories, as follows:
a) those that relate to the design, and the manufacturing processes, affecting all medical devices of a
particular type;
b) those that relate to the manufacture or distribution of an individual medical device or batch of medical
devices;
c) those that demonstrate the effective operation of the overall quality management system (system
records).
It is clear that records in categories a) and b) are related directly to particular medical devices. Those in
category a) should be kept for a time at least equivalent to the lifetime of the medical device after manufacture
of the last product made to that design. Those records in category b) should be kept for a time at least
equivalent to the lifetime of that particular batch of medical devices.
4.2.4.2 Some system records may also have a retention period related to the lifetime of a medical device;
for example, calibration and training of individuals. For some other system records, it is less straightforward to
relate them to the lifetime of a medical device; for example, management review, internal audit, infrastructure,
evaluation of some suppliers and analysis of data. In these cases, the organization is required by ISO 13485
to identify an appropriate retention period. In defining this retention period, the organization should take into
account the nature of the medical device, the risks associated with its use, the records involved and relevant
regulatory requirements.
4.2.4.3 Records should be stored safely, protected from unauthorized access, and protected from
alteration. These records should be properly identified, collected, indexed and filed, and should be readily
accessible as and if needed. They may be stored or copied in any suitable form (e.g. hardcopy or electronic
media). If records are retained on electronic media, consideration of the retention times and accessibility of
the records should take into account the degradation of the electronic data and the availability of devices and
software needed to access the records. Such copies of records should contain all the relevant information
captured in the original records.
8 © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
4.2.4.4 Hand-written entries should be made by indelible medium. Persons making authorized entries on
records or verifying such entries should do so in clear legible writing, and should confirm the entry by adding
their initials, signature or equivalent, and the date.
Good recording practices can include the following procedures, as appropriate:
 enter data and observations as they occur;
 do not pre-date or post-date records;
 do not use another person’s initial, signature or equivalent;
 complete all fields or check-offs when using a form;
 refer to raw data when transferring data, and have the transcription verified by a second person;
 verify all entries for completeness and correctness;
 number pages to ensure completeness.
4.2.4.5 If an error is made or detected on a record, it should be corrected in such a manner that the original
entry is not lost and the correction is initialed and dated. If appropriate, the reason for the correction should be
recorded. Where electronic records systems are used in place of paper-based ones, these systems should,
wherever possible, incorporate time-stamped, immutable, system-generated audit trails, for tracking changes.
Such audit trails may include the identity of the authorized user, creations, deletions, modifications/
corrections, time and date, links and embedded comments.
4.2.4.6 The organizations may have alternative provisions for critical data entry of electronic records, for
example,
 a second authorized person with logged name and identification, with time and date, can verify data entry
via the keyboard, or
 systems with direct data capture can have the second check as a part of validated system functionality.
A system should be implemented that assures the integrity of electronic records and protects against
unauthorized entries. The topic of electronic records is complex and evolving. National or regional regulations
and guidance documents might address requirements for the organization to establish documented
procedures specifically for control of electronic records. This might include, but not be limited to, access,
storage, reproducibility, readability, audit trails and electronic signatures, if appropriate.
4.2.4.7 In addition to considering the lifetime of the device (see 7.1) in determining record retention time,
legal considerations, including liability, and the need or advisability of keeping records indefinitely, should be
considered.
5 Management responsibility
5.1 Management commitment
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
ISO/TR 14969:2004(E)
It is important to note the emphasis on “top management” throughout this subclause. This is intended to
ensure that the quality management system is effective as a result of commitment on the part of management
at the highest levels of the organization.
Top management’s commitment is best demonstrated by its actions.
Remembering that the quality management system is a set of interrelated processes, top management should
ensure that processes operate as an effective network.
Consideration should be given to
 ensuring that the sequence and interaction of processes are designed to achieve the planned results
effectively,
 ensuring that process inputs, activities and outputs are clearly defined and controlled,
 monitoring inputs and outputs to verify that individual processes are linked and operate effectively,
 identifying hazards and managing risks,
 conducting data analysis to facilitate necessary improvement of processes,
 identifying process owners and giving them responsibility and authority, and
 managing each process to achieve the process objectives.
5.2 Customer focus
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
This subclause is intended to emphasize the responsibility of top management to make certain that customer
requirements are understood and that the necessary resources are made available to meet those
requirements, regardless of who in the organization actually undertakes the interaction with the customer. The
references to ISO 13485:2003, 7.2.1 and 8.2.1, are pointers to what this process will be expected to cover.
5.3 Quality policy
ISO 13485:2003, Medical devices — Quality management systems — Requirements for regulatory
purposes
10 © ISO 2004 – All rights reserved

ISO/TR 14969:2004(E)
The quality policy establishes
 a commitment to quality and the continuing effectiveness of the quality management system to meet
customer and regulatory requirements,
 the context for quality objectives, and
 the relation
...