What ISO 13485 Clause 7.2 Actually Requires
If you work in the medical device industry and you are preparing for ISO 13485 certification, Clause 7.2 on competence is one of those requirements that looks straightforward on paper but trips up a surprising number of organisations during audit. The clause is short. The intent is clear. But the evidence organisations produce to satisfy it is often incomplete, inconsistent, or disconnected from the actual risks in their processes.
On this page
ISO 13485 is the international standard for quality management systems in the design, manufacture, and supply of medical devices. Unlike ISO 9001, which applies broadly across industries, ISO 13485 operates in a regulated environment where patient safety is the underlying concern behind every requirement. That context matters enormously when you are thinking about competence. A person who is not adequately trained or qualified to perform a critical task in a medical device organisation is not just an internal quality problem. It is a potential patient safety issue.
Clause 7.2 sits within Section 7 of the standard, which covers product realisation. It deals specifically with the people doing the work, and it requires organisations to determine what competence is needed, ensure that people have it, evaluate whether training has been effective, and keep records to prove all of this. This article walks through each of those requirements in practical terms, with real world examples to show what good looks like and what auditors are actually looking for.
The Four Core Requirements of Clause 7.2
The clause breaks down into four interconnected obligations. Understanding each one individually helps you build a system that actually works rather than just ticking boxes on a form.
Determining the Necessary Competence
The first step is identifying what competence is required for each role that affects product quality and safety. This is not just about listing job titles. It means defining the specific education, training, skills, and experience that a person needs to perform their role effectively and without creating risk to the product or the patient.
Think about a production operator assembling a Class II medical device. The competence requirements for that role might include completion of a specific induction programme, demonstrated understanding of the assembly procedure, knowledge of what constitutes a non-conforming product, and the ability to correctly use inspection tools. All of that needs to be defined somewhere, usually in a job description, competence matrix, or role-specific training plan.
The standard also requires that you consider the regulatory requirements applicable to your products and markets. If you are supplying into Australia and your products are regulated under the Therapeutic Goods Administration framework, your competence requirements need to reflect that regulatory context. The same applies to the US FDA, the EU MDR, or any other market you supply into.
Ensuring People Are Competent
Once you have defined what competence looks like, you need to make sure your people actually have it. This is where training programmes, onboarding processes, mentoring arrangements, and qualification systems come in. The standard accepts that competence can be acquired through education, training, or experience. It does not prescribe a single method.
A common approach in medical device companies is a combination of documented training on procedures, on-the-job observation and sign-off by a qualified assessor, and periodic refresher training when procedures change or when performance issues are identified. The key is that the approach is systematic and documented, not ad hoc.
One area where organisations often fall short is with experienced staff who have been doing the same job for years. There is a tendency to assume that because someone has been doing the role for a long time, their competence is self-evident. But ISO 13485 does not accept assumptions. If a long-serving employee has never had their competence formally assessed and documented, that is a gap. Auditors will find it.
Evaluating the Effectiveness of Training
This is the requirement that most organisations handle poorly. The standard does not just ask whether training was delivered. It asks whether the training worked. Those are very different questions.
A common approach is to have employees sit a short written test after completing a training module and record the result. That can be acceptable, but it depends on what the test actually measures. A multiple choice quiz about the content of a procedure does not necessarily demonstrate that a person can apply that procedure correctly in practice. For higher-risk tasks, effectiveness evaluation should include some form of practical assessment or observed performance.
Consider a sterilisation technician responsible for validating sterilisation cycles. A written test might confirm they understand the theory. But effectiveness evaluation for a role like that should also include verification that they can correctly interpret cycle data, identify deviations, and take appropriate action. The evaluation method needs to be proportionate to the risk associated with the task.
It is also worth noting that effectiveness evaluation is not a one-time event. If a procedure changes significantly, or if non-conformances are traced back to a competence gap, retraining and re-evaluation are required.
Maintaining Records of Competence
Clause 7.2 requires documented information as evidence of competence. In practice, this means training records, qualification certificates, competency assessments, and any other evidence that demonstrates a person meets the requirements for their role. These records need to be controlled in accordance with Clause 4.2, which covers the management of documented information.
The records requirement in ISO 13485 is stricter than in ISO 9001 because of the regulatory environment. Traceability of competence is important not just for audit purposes but because regulators, including the TGA in Australia and the FDA in the United States, may request evidence that personnel involved in manufacturing or quality activities were appropriately qualified. Inadequate records are a genuine regulatory risk, not just an audit finding.
If you want to understand how competence records fit into the broader documented information requirements of a management system, the article on what are controlled documents and how to implement them provides useful context.
Practical Examples of Clause 7.2 in Different Scenarios
Abstract requirements become much clearer when you look at how they apply in specific situations. Here are several real world scenarios that illustrate what Clause 7.2 looks like in practice across different roles and contexts.
Example 1: New Production Operator in a Device Assembly Facility
A medical device manufacturer hires a new assembly operator with no prior experience in the industry. Under Clause 7.2, the organisation needs to define the competence required for that role, deliver training to bring the person up to that standard, evaluate whether the training has been effective, and keep records of the whole process.
In practice, this might look like the following. The role has a documented competence profile that specifies required training modules, a minimum score on a written assessment, and sign-off by a supervisor after a period of supervised work. The new operator completes the induction training, passes the written assessment with a score above the required threshold, and is observed performing the assembly task independently before the supervisor signs off their qualification record. All of this is recorded in the training management system.
Six months later, a procedure is updated due to a design change. The operator is retrained on the updated procedure, the effectiveness of that retraining is evaluated, and the training record is updated. That is a complete and compliant approach to Clause 7.2 for that individual.
Example 2: Quality Manager Moving From ISO 9001 to ISO 13485
An organisation transitioning from ISO 9001 to ISO 13485 has an experienced quality manager who has been running the QMS for several years. The manager is highly competent in quality management generally but has limited knowledge of medical device regulations and the specific requirements of ISO 13485.
Under Clause 7.2, the organisation needs to identify this gap and address it. Simply assuming that general quality management experience is sufficient would be a mistake. The competence profile for the quality manager role should include knowledge of the applicable regulatory framework, familiarity with ISO 13485 requirements, and an understanding of how those requirements differ from ISO 9001.
The organisation might address this through a combination of external training, self-directed study of the standard, and participation in an ISO 13485 implementation project under the guidance of an experienced consultant. The effectiveness of this development would then be evaluated, perhaps through a structured review of the manager’s ability to correctly interpret and apply the standard’s requirements. Records of all of this are maintained.
If you are going through this kind of transition and need help finding a consultant with genuine ISO 13485 experience, here is why industry expertise matters when selecting an ISO consultant.
Example 3: Contract Manufacturer Supplying a Finished Device Manufacturer
A contract manufacturer produces components that are incorporated into a finished medical device. The finished device manufacturer holds the ISO 13485 certificate, but the contract manufacturer is within the scope of the QMS as a supplier performing outsourced processes.
In this scenario, the finished device manufacturer has an obligation under Clause 7.2 to ensure that personnel at the contract manufacturer who perform work affecting product quality are competent. This does not necessarily mean the finished device manufacturer trains those staff directly. But it does mean there needs to be a mechanism for verifying competence, whether through supplier audits, review of the contract manufacturer’s training records, or contractual requirements for qualification standards.
This is an area where supplier management and competence management intersect. Auditors will look for evidence that the finished device manufacturer has not simply assumed its suppliers have competent staff but has taken steps to verify it.
Example 4: Regulatory Affairs Specialist
A regulatory affairs specialist is responsible for preparing and submitting technical documentation for device registration in multiple markets. The competence requirements for this role are specific and demanding. They include knowledge of the relevant regulatory frameworks, experience with technical file preparation, understanding of clinical evaluation requirements, and familiarity with post-market surveillance obligations.
Under Clause 7.2, the organisation needs a competence profile for this role that captures all of these requirements. If the specialist’s knowledge of a particular market’s regulatory requirements is limited, that is a competence gap that needs to be addressed. This might involve targeted training, attendance at regulatory seminars, or engagement with a regulatory consultant for that specific market. The training and its effectiveness evaluation need to be documented.
For context on how ISO 13485 fits into the broader picture of regulatory compliance for medical device organisations, the article on how much ISO 13485 certification costs in Australia covers some of the practical considerations for organisations getting started.
Building a Competence Management System That Satisfies Clause 7.2
Rather than treating Clause 7.2 as a set of individual requirements to satisfy in isolation, it is more effective to build a coherent competence management system that addresses all of them together. Here is a practical approach.
Step 1: Create a Competence Matrix
A competence matrix is a document that maps roles to required competencies. For each role, it specifies the education, training, skills, and experience required. This gives you a clear baseline against which to assess your current workforce and identify gaps. It also makes it much easier to manage onboarding, role changes, and succession planning.
The matrix should be reviewed whenever roles change, processes are updated, or new regulatory requirements come into force. It is a living document, not something you create once and forget about.
If you want to go deeper on building this kind of tool, the article on how to build an ISO training matrix for your team is a practical starting point.
Step 2: Implement a Structured Training Programme
Training should be planned, documented, and linked to the competence requirements in your matrix. For each training activity, you should document what was covered, who attended, when it was delivered, and how effectiveness was evaluated. Training records should be retained for the period required by your documented information retention policy, which in a medical device context is typically linked to the product lifecycle.
Training methods should be appropriate to the task. Classroom or e-learning training may be sufficient for procedural knowledge. But for tasks that require manual dexterity, judgement, or complex decision-making, practical assessment is essential.
Step 3: Evaluate Effectiveness Consistently
Define your effectiveness evaluation criteria before training is delivered, not after. For each training activity, decide in advance what evidence will demonstrate that the training has worked. This might be a test score, a supervisor sign-off after observed performance, a reduction in errors on a specific task, or a combination of these.
Document the evaluation results and link them back to the training record. If the evaluation reveals that training has not been effective, document the action taken and the follow-up evaluation.
Step 4: Maintain Accessible, Controlled Records
Competence records need to be readily accessible during an audit. Auditors will typically ask to see records for specific individuals, and they will check that the records are complete, current, and controlled. Records stored in spreadsheets on individual computers or in paper files without version control are a common source of audit findings. A centralised training management system, even a simple one, makes this much easier to manage.
Common Audit Findings Related to Clause 7.2
Having audited ISO 13485 systems across a range of medical device organisations, certain patterns come up repeatedly. These are the areas where organisations most commonly receive non-conformances or observations related to Clause 7.2.
The first is missing or incomplete training records. This includes records that show training was delivered but contain no evidence of effectiveness evaluation, records that are not linked to specific procedures or competence requirements, and records for some staff but not others in the same role.
The second is competence profiles that are too vague. A competence profile that simply says “relevant experience required” or “training as required” does not satisfy the clause. The requirements need to be specific enough to be measurable.
The third is failure to update training records when procedures change. When a procedure is revised, everyone affected by that procedure needs to be retrained and the effectiveness of that retraining evaluated. Many organisations update the procedure but do not systematically manage the retraining requirement.
The fourth is inadequate effectiveness evaluation. As discussed above, a tick-box approach to effectiveness evaluation that does not genuinely test whether training has worked is a common finding, particularly for higher-risk tasks.
The fifth is gaps for long-serving staff. Experienced employees who have never had their competence formally assessed and documented represent a common gap, particularly in organisations that have recently implemented ISO 13485 for the first time.
For more on how to approach your preparation for a Stage 1 audit under ISO 13485, the article on how to prepare for an ISO 13485 Stage 1 audit covers the key areas auditors focus on.
How Clause 7.2 Connects to Other Parts of ISO 13485
Clause 7.2 does not operate in isolation. It connects to several other parts of the standard in ways that are worth understanding.
It connects to Clause 6.2, which deals with human resources and includes the requirement to determine and provide the resources needed to implement and maintain the QMS. Competence is a human resource issue at its core.
It connects to Clause 4.2 on documented information, because competence records are a specific category of documented information that must be controlled and retained.
It connects to Clause 8.5 on production and service provision, because the competence of personnel performing production activities directly affects product conformity and safety.
It also connects to Clause 5.6 on management review, because competence gaps, training effectiveness data, and workforce capability are inputs that management should be reviewing as part of their ongoing oversight of the QMS.
Understanding these connections helps you build a system where competence management is integrated into the broader quality management framework rather than sitting as a standalone HR function with limited connection to quality outcomes.
Getting Help With ISO 13485 Compliance
ISO 13485 is a demanding standard, and Clause 7.2 is just one of many requirements that need to be implemented correctly. For medical device organisations going through certification for the first time, or for those preparing for a surveillance audit after receiving findings related to competence, working with a consultant who has genuine experience in the medical device sector makes a significant difference.
At CertBetter, we connect medical device businesses with verified ISO consultants and accredited certification bodies who have specific ISO 13485 experience. You submit one form and receive up to three competing quotes from vetted providers. The service is completely free for businesses seeking certification help. If you are navigating Clause 7.2 or any other part of ISO 13485, it is worth getting advice from someone who has been through this process many times before.
