Whether you're developing a brand new medical device or scaling your team to expand existing operations, there is a single constant. In the life-science industry, your people must be adequately trained - and you must have the evidence to prove it. Here’s how and why many companies are still failing to meet the training requirements laid out in ISO 13485.
Despite clear training requirements being embedded in ISO 13485 and the regulations that increasingly align with it, a surprising number of companies still fail to meet the standard.
In 2024, compliance analysis showed 15% of FDA Form 483 observations for medical device developers were linked to training programmes.
The majority of these observations arose, not from inaccurate materials or course content, but from inadequate training procedures and documentation.
These compliance failures reflect the inability of many companies to scale their existing training tools and approaches to meet the standards' expectations.
After all, it’s a fact that many proprietary eQMS tools still lack built-in training modules - and the documentation control and training traceability required by ISO 13485 are hard to achieve with spreadsheets, email notifications, and siloed systems that so many still cling to.
Training has long been a requirement under ISO 13485. However, the 2016 revision of the standard significantly raised the bar for evidencing compliance.
Earlier versions of ISO 13485 focused largely on record-keeping. It was enough for employers to ‘self-attest’ to their training. But clause 6.2 of the updated standard introduced explicit, outcome-based requirements for managing training and demonstrating worker competence in regulated environments.
Here are three changes that came with the 2016 iteration of ISO 13485;
Clause 6.2 of ISO 13485:2016 states:
“Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.
The organisation shall:
— ISO 13485:2016, Clause 6.2
In practical terms, this means that organisations must:
While Clause 6.2 does not explicitly mention SOP versions, ISO 13485:2016 requires companies to ensure that competence is maintained, which inherently includes keeping training aligned with the current version of controlled documents.
This expectation is reinforced by Clause 4.2.4, which governs document control. It requires organisations to:
When read together, these clauses form the basis for what auditors expect:
The 2016 revision also introduced risk-based thinking as a foundational principle across every QMS - including training.
A note in Clause 6.2 states that developers must be confident:
“The methodology used to check effectiveness is proportionate to the risk associated with the work for which the training or other action is being provided.”
This implies:
ISO 13485:2016 sets a much higher bar for training and competence - requiring organisations to define role-specific requirements, evaluate effectiveness, maintain traceable records, and align training with risk.
Yet many companies still fall short on these demands. As teams grow and onboarding becomes more complex, training often remains a disconnected process, still managed outside the QMS.
In these circumstances, training compliance can become a serious blind spot - untracked, outdated, and hard to properly evidence during audits.
When training is managed outside your core QMS using spreadsheets, HR tools or standalone LMS platforms, critical gaps can emerge that undermine your audit readiness.
Here are five common failure points that many companies fall prey to:
Clause 6.2 of ISO 13485 requires training to be based on defined competence. Clause 4.2.4 demands tight control of the documents that define how work is performed.
In many systems, however, training is not directly tied to the SOPs or work instructions in force. When a procedure changes, the training programme is not updated automatically, and retraining often falls through the cracks.
The result? Staff may unknowingly follow outdated procedures, with no audit trail to prove otherwise. This is a common source of non-conformance.
Training records stored in spreadsheets, inboxes or HR platforms outside the QMS create major traceability issues. When auditors ask the most basic questions like:
With fragmented training records, the answers are often hard to produce quickly or accurately. QA teams are forced into reactive mode, chasing signatures, compiling logs, and discovering gaps they were unaware of.
ISO 13485 requires more than proof that training was delivered. Organisations must also demonstrate that it was effective.
Without assessments, supervisor observation or sign-off (which must be FDA and MHRA compliant), there may be no firm evidence that the individual can perform the task they were trained for.
Businesses need training systems that can assess competence in a variety of ways — from video-based learning and interactive quizzes to formal written assessments.
Auditors expect outcome-based proof of competence, not just a completed training form.
When procedures change or corrective actions are issued, retraining should follow. But if training is not part of your change control or CAPA workflows, it is often overlooked.
This creates traceability gaps that auditors frequently flag. Regulators want to see a clear line from process change to an updated procedure, and proof that all affected personnel have been retrained.
ISO 13485 encourages a risk-based approach to training. That means training should reflect the criticality of the role or task.
High-risk activities such as sterilisation validation, complaint handling, or clinical data analysis may require formal assessments and documented sign-off. In contrast, lower-risk tasks like routine document reviews or non-critical updates may only require user acknowledgement.
If your system cannot personalise training by role and risk level, you risk undertraining key staff or overburdening others with unnecessary admin. Either scenario introduces compliance and efficiency issues.
Most companies hit a point where training - once a manageable admin task - becomes a bottleneck. This often happens when:
When you are first building your eQMS, you should consider how your training tools and processes are going to scale with your business - and help you meet all the demands of ISO 13485 now and in the future.