Post-market communication via complaints and MDR-linked activities — 820.198 and 820.100 channels persist as part of ISO 13485 7.2 communications framework.
Pre-contract customer requirement determination becomes an explicit QMS process; advisory notice and field safety corrective action communication procedures required.
Advisory notice procedure and pre-supply requirements review records — Part 820 had no equivalent pre-market requirement determination process.
Maps to
QMSR / ISO 13485: §820.198 Complaint files., §820.100 Corrective and preventive action.
ISO 13485: §7.2 Customer-related processes
Requirement text
Product-related requirements must be determined — including customer requirements, statutory and regulatory requirements, and any additional requirements. Requirements must be reviewed before committing to supply. Customer communication processes must be established, including procedures for advisory notices and field safety corrective actions.
Why this clause exists
Customer requirements determination and review before committing to supply protects against the failure mode of accepting orders for products or configurations that the manufacturer cannot actually deliver to stated requirements — a failure that creates both customer harm (reliance on a product commitment that cannot be fulfilled) and regulatory exposure (delivery of a device that does not meet stated specifications). The requirement to determine statutory and regulatory requirements as part of product requirements reflects the manufacturer's obligation: the customer's stated requirements do not supersede regulatory requirements, and a manufacturer who accepts an order for a device configuration that does not meet applicable regulatory requirements cannot meet the full product requirement set even if the customer specification is satisfied. Customer communication processes — including channels for product information, order changes, complaints, and feedback — create the infrastructure that complaint handling and post-market surveillance depend on: a manufacturer without defined communication processes may receive complaint information in a manner that does not trigger the formal handling procedure, allowing complaints to be addressed informally without the mandatory evaluation, investigation, and MDR-reporting steps. The advisory notice and field safety corrective action (FSCA) procedures within the customer communication framework address the field-side of recalls and safety actions: when a recall is initiated, the ability to communicate promptly, accurately, and with documented evidence of customer notification is what regulatory authorities examine during recall oversight.
What changed
§820.198 / §820.100 — Part 820 (legacy)
"Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that: (1) All complaints are processed in a uniform and timely manner; (2) Oral complaints are documented upon receipt; and (3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting. Each manufacturer shall review and evaluate all complaints to determine whether an investigation is necessary. When no investigation is made, the manufacturer shall maintain a record that includes the reason no investigation was made and the name of the individual responsible for the decision not to investigate. Any complaint involving the possible failure of a device, labeling, or packaging to meet any of its specifications shall be reviewed, evaluated, and investigated, unless such investigation has already been performed for a similar complaint and another investigation is not necessary. Any complaint that represents an event which must be reported to FDA under part 803 of this chapter shall be promptly reviewed, evaluated, and investigated by a designated individual(s) and shall be maintained in a separate portion of the complaint files or otherwise clearly identified. In addition to the information required by § 820.198(e), records of investigation under this paragraph shall include a determination of: (1) Whether the device failed to meet specifications; (2) Whether the device was being used for treatment or diagnosis; and (3) The relationship, if any, of the device to the reported incident or adverse event. When an investigation is made under this section, a record of the investigation shall be maintained by the formally designated unit identified in paragraph (a) of this section. The record of investigation shall include: (1) The name of the device; (2) The date the complaint was received; (3) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used; (4) The name, address, and phone number of the complainant; (5) The nature and details of the complaint; (6) The dates and results of the investigation; (7) Any corrective action taken; and (8) Any reply to the complainant. When the manufacturer's formally designated complaint unit is located at a site separate from the manufacturing establishment, the investigated complaint(s) and the record(s) of investigation shall be reasonably accessible to the manufacturing establishment. If a manufacturer's formally designated complaint unit is located outside of the United States, records required by this section shall be reasonably accessible in the United States at either: (1) A location in the United States where the manufacturer's records are regularly kept; or (2) The location of the initial distributor. Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for: (1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems; (2) Investigating the cause of nonconformities relating to product, processes, and the quality system; (3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems; (4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device; (5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems; (6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and (7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review. All activities required under this section, and their results, shall be documented."
§7.2 — ISO 13485:2016 (current)
"7.2.1 Determination of requirements related to product The organization shall determine: a) requirements specified by the customer, including the requirements for delivery and post-delivery activities; b) requirements not stated by the customer but necessary for specified or intended use, as known; c) applicable regulatory requirements related to the product; d) any user training needed to ensure specified performance and safe use of the medical device; e) any additional requirements determined by the organization. 7.2.2 Review of requirements related to product The organization shall review the requirements related to product. This review shall be conducted prior to the organization's commitment to supply product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders) and shall ensure that: a) product requirements are defined and documented; b) contract or order requirements differing from those previously expressed are resolved; c) applicable regulatory requirements are met; d) any user training identified in accordance with 7.2.1 is available or planned to be available; e) the organization has the ability to meet the defined requirements. Records of the results of the review and actions arising from the review shall be maintained (see 4.2.5). When the customer provides no documented statement of requirement, the customer requirements shall be confirmed by the organization before acceptance. When product requirements are changed, the organization shall ensure that relevant documents are amended and that relevant personnel are made aware of the changed requirements. 7.2.3 Communication The organization shall plan and document arrangements for communicating with customers in relation to: a) product information; b) enquiries, contracts or order handling, including amendments; c) customer feedback, including complaints; d) advisory notices. The organization shall communicate with regulatory authorities in accordance with applicable regulatory requirements."
Δ Customer-related processes are a new structured category in ISO 13485; user training determination, pre-contract requirements review, and regulatory authority communication are all requirements with no Part 820 equivalent.
Common gaps (what we see in audits)
- Missing Advisory Notice / FSCA Communication Procedure — There is no documented procedure for communicating advisory notices, field safety corrective actions, or recalls to customers, distributors, and regulatory authorities. ISO 13485 clause 7.2.3 explicitly requires planning of communication arrangements including advisory notices.
- No Formal Customer Requirements Determination Process — There is no documented process for proactively determining customer requirements, including requirements not explicitly stated by the customer but necessary for intended use. Companies respond to customer orders but do not systematically determine and document the full set of requirements before committing to supply.
- No Contract or Order Review Procedure — Customer orders or contracts are accepted without a documented review process verifying the organization's ability to meet requirements. ISO 13485 clause 7.2.2 requires review of product-related requirements before commitment, with records maintained.
- Customer Feedback Not Integrated into QMS — Customer feedback is handled informally through sales or customer service without systematic capture, evaluation, and integration into the QMS. ISO 13485 clause 7.2.3 requires documented customer communication arrangements including feedback, which must feed into corrective action and management review processes.
- Missing communication for 'Advisory Notices' — The communication procedure fails to define how 'Advisory Notices' (recalls) are communicated to customers. ISO 13485 §7.2.3 requires this.