Quality planning framework and product-specific quality objectives — 820.20(d) quality plan concept preserved under ISO 13485 7.1.
Documented risk management processes required as part of product realization planning; quality plan must define verification, validation, acceptance criteria, and required records.
Product-specific quality plans and risk process documentation — organizations with only a QMS-level quality policy and no product-level plans have a structural gap.
Maps to
QMSR / ISO 13485: §820.20(d) Quality planning.
ISO 13485: §7.1 Planning of product realization
Requirement text
Processes needed for product realization must be planned and developed. Planning must determine quality objectives and requirements, product-specific processes and documentation, required verification and validation activities, acceptance criteria at each stage, and records needed to provide evidence of conformity.
Why this clause exists
Product realization planning is the requirement that prevents quality considerations from being appended to the end of a development project as an afterthought. The planning obligation — determining quality objectives, required processes, verification and validation activities, acceptance criteria, and required records before realization begins — creates a structured framework that the rest of the development work executes within. Without that planning framework, quality outcomes are aspirational rather than defined: there is no common reference for what evidence of conformity looks like at each stage, no pre-determined criteria for advancing to the next phase, and no identified records that will constitute proof that conformance was achieved. Acceptance criteria defined in advance also protect against the common failure mode of acceptance criteria set retroactively to match achieved results — if the criteria are established after testing is complete, they cannot perform the gatekeeping function they are meant to provide. The records identification requirement serves the audit and inspection function: inspectors do not simply ask whether activities were performed; they ask for the records that prove activities were performed. A manufacturer that did not plan which records to generate cannot reliably produce them, and absence of planned records is evidence of an inadequate quality plan, not simply an administrative omission.
What changed
§820.20(d) — Part 820 (legacy)
"Each manufacturer shall establish a quality plan which defines the quality practices, resources, and activities relevant to devices that are designed and manufactured. The manufacturer shall establish how the requirements for quality will be met."
§7.1 — ISO 13485:2016 (current)
"The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system. The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see 4.2.5). In planning product realization, the organization shall determine the following, as appropriate: a) quality objectives and requirements for the product; b) the need to establish processes and documents (see 4.2.4) and to provide resources specific to the product, including infrastructure and work environment; c) required verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities specific to the product together with the criteria for product acceptance; d) records needed to provide evidence that the realization processes and resulting product meet requirements (see 4.2.5). The output of this planning shall be documented in a form suitable for the organization's method of operations. NOTE Further information can be found in ISO 14971."
Δ Product realization planning now mandates documented risk management processes with maintained records; Part 820's quality plan had no explicit risk management planning obligation.
Common gaps (what we see in audits)
- No Product-Specific Quality Plan — The company has a system-level quality plan or quality manual but no product-specific quality plans defining the processes, verification activities, acceptance criteria, and records applicable to each device type. ISO 13485 clause 7.1 requires product-level planning, not just system-level quality objectives.
- Quality Plan Not Linked to Design Controls and Risk Management — The quality plan exists but does not reference design control deliverables, risk management outputs, or regulatory requirements specific to the product. ISO 13485 clause 7.1 requires planning to be consistent with the other QMS processes, meaning design outputs and risk controls should feed into quality planning.
- Missing 'Product Realization Plan' — The QMS has 'Design Plans' and 'Quality Plans' but lacks an overarching 'Product Realization Plan' for the device lifecycle. ISO 13485 §7.1 requires this planning.
- Risk not integrated in realization planning — The Product Realization Plan fails to reference the Risk Management Plan (ISO 14971). ISO 13485 §7.1 requires risk management in product realization.
- Acceptance Criteria Not Defined Per Product in Quality Plan — The quality plan does not specify product-specific acceptance criteria for each verification, validation, and inspection stage. Generic acceptance criteria (e.g., 'meets specifications') are used without defining what specifications apply at each stage for each product.