Training. It's one of those words that makes quality managers roll their eyes and auditors lean forward in their chairs. In my eight-plus years consulting on ISO 13485 implementations across 200+ medical device companies, training nonconformances are among the top five findings I see in every single audit cycle — not because organizations aren't training their people, but because they aren't documenting it correctly, evaluating its effectiveness, or linking it back to the standard's competence requirements.
This pillar article covers everything you need to know about ISO 13485 training requirements: what the standard actually demands, how to build competence records that survive an audit, and how to implement an effectiveness evaluation process that goes beyond a quiz score. Let's get into it.
What Does ISO 13485 Actually Require for Training?
The core training requirements in ISO 13485:2016 live in Clause 6.2 — Human Resources. The clause is short but dense, and it's worth reading every word.
Clause 6.2.1 (General) requires that personnel performing work affecting product quality must be competent on the basis of:
- Education
- Training
- Skills
- Experience
Clause 6.2.2 (Competence, awareness, and training) expands on this with five specific obligations:
- Determine the necessary competence for each role affecting product quality
- Provide training or take other actions to achieve the necessary competence
- Evaluate the effectiveness of the actions taken
- Ensure personnel are aware of the relevance and importance of their activities
- Maintain appropriate records of education, training, skills, and experience
Notice that the standard doesn't say "conduct training." It says achieve competence. Training is one mechanism — but so are mentoring, job rotation, certification, or supervised practice. This distinction matters enormously during audits.
Citation Hook: ISO 13485:2016 Clause 6.2.2 requires organizations to evaluate the effectiveness of training actions taken, not merely document that training occurred — a distinction that separates compliant QMS programs from audit-ready ones.
The Competence Framework: More Than a Training Matrix
Most companies I audit have a training matrix. Few have a competence framework. Here's the difference.
A training matrix maps roles to required courses. A competence framework maps roles to required outcomes — what a person must be able to do, not just what they must have seen.
Building a Role-Based Competence Profile
For each position that affects product quality (which, in a medical device company, is most of them), you need a documented competence profile that specifies:
| Element | Example for a Production Technician |
|---|---|
| Required Education | High school diploma or equivalent |
| Required Training | GMP basics, ESD awareness, assembly SOP-017 |
| Required Skills | Soldering to IPC-A-610, microscopy inspection |
| Required Experience | 90-day supervised production period |
| Competence Verification Method | Practical assessment scored ≥80%, supervisor sign-off |
| Recertification Frequency | Annual or after SOP revision |
This profile becomes the anchor document from which training records, effectiveness evaluations, and gap analyses all hang. Without it, your training program is just activity — not a system.
Competence Records: What Must You Keep?
Clause 6.2.2(e) requires maintaining "appropriate records of education, training, skills, and experience." The word appropriate is doing a lot of work here. Auditors interpret this to mean records that are:
- Attributable — clearly linked to a named individual
- Legible — readable and unambiguous
- Contemporaneous — created at or near the time of the activity
- Original (or a certified copy) — not reconstructed after the fact
- Accurate — reflective of what actually occurred
These are the ALCOA principles, borrowed from pharmaceutical GMP, but increasingly expected by notified bodies and FDA auditors in medical device contexts.
Minimum Record Components
At a minimum, each training record should capture:
- Trainee name and role — who received the training
- Training title and identifier — what SOP, procedure, or course was covered
- Version/revision level — which version of the document was trained against
- Date of training — when it occurred
- Training method — classroom, CBT, OJT, read-and-understand, etc.
- Trainer/instructor name — who delivered or facilitated
- Effectiveness evaluation result — pass/fail, score, or qualitative assessment
- Trainee and trainer signatures — with dates
- Corrective action (if failed) — what happens if competence isn't demonstrated
Citation Hook: A competence record that captures only course completion — without documenting the effectiveness evaluation result and the specific competence being verified — is insufficient to demonstrate ISO 13485:2016 Clause 6.2.2 compliance and will likely generate a nonconformance finding.
Effectiveness Evaluation: The Most Commonly Failed Requirement
Here's the hard truth: most companies check a box that says "training complete" and call it done. Auditors know this. It's exactly why effectiveness evaluation is one of the most frequently cited nonconformances in ISO 13485 surveillance audits.
According to data from notified body audit findings, Clause 6.2 is cited in approximately 15–20% of all ISO 13485 major and minor nonconformances, making human resources one of the top three most-cited clauses alongside Clause 7.5 (production and service provision) and Clause 8.2 (monitoring and measurement).
So what does an effective effectiveness evaluation actually look like?
The Three Levels of Training Effectiveness
I use a simplified version of the Kirkpatrick model — adapted for regulated medical device environments — to help clients build evaluations that actually work:
Level 1 — Reaction (Did they engage?)
- Post-training surveys
- Attendance records
- Trainer observation notes
- Limitation: Tells you people showed up and didn't hate it. Nothing more.
Level 2 — Learning (Did they acquire the competence?)
- Written knowledge assessments (quizzes, tests)
- Practical demonstrations
- Simulation or scenario-based exercises
- Supervisor skills checklist
- This is the minimum required by ISO 13485.
Level 3 — Behavior (Are they applying it on the job?)
- Observation during routine work
- Error rate tracking pre/post training
- Internal audit findings linked to trained tasks
- Quality metric trend analysis (e.g., rework rates, NCR frequency)
- This is what separates compliant from excellent.
Most organizations stop at Level 1 or attempt Level 2 with a five-question quiz. The standard doesn't prescribe a minimum score, but auditors will challenge you if your pass threshold is set so low it's meaningless (I've seen companies set 60% as a pass — which means you can get four out of ten questions wrong and be "competent"). I recommend a minimum of 80% for knowledge-based assessments, with mandatory retraining and reassessment for failures.
Practical vs. Knowledge-Based Effectiveness Evaluation
For hands-on roles — production technicians, sterilization operators, cleanroom personnel — a written quiz is necessary but not sufficient. You need a practical competency assessment where a qualified evaluator observes the individual performing the actual task and documents their findings against a defined checklist.
| Role Type | Recommended Effectiveness Evaluation Method |
|---|---|
| Production / Assembly | Practical demonstration + supervisor checklist |
| Quality Inspector | Blind sample evaluation + measurement system analysis |
| Document Control | Scenario-based test (simulated change request) |
| Regulatory Affairs | Knowledge assessment + case study review |
| Management / Leadership | Awareness assessment + QMS performance review |
| Sterilization Personnel | Practical demonstration + parameter verification |
| Calibration Technician | Witnessed calibration + records review |
Linking Training to Your QMS Processes
One of the most powerful (and underused) strategies for ISO 13485 training compliance is creating explicit linkages between training records and the QMS processes they support. Here's what that means in practice:
Connect Training to Document Control
Every time an SOP, work instruction, or quality plan is revised, your document control system should trigger a training event for all affected personnel. The training record should reference the specific document number and revision level. During an audit, the auditor will pull a procedure, look at the revision history, and then ask to see the training records for the people who work to that procedure. If your records reference the wrong revision, it's a finding.
Connect Training to CAPA
When a corrective action involves a process breakdown caused by a human error or knowledge gap, the CAPA should include a training element — and that training element should have its own effectiveness check. ISO 13485:2016 Clause 8.5.2 requires you to verify that corrective actions are effective. If the root cause was training-related, your CAPA effectiveness check is your training effectiveness evaluation.
Connect Training to Internal Audit Findings
If your internal audit program identifies recurring findings in a particular area, ask whether training adequacy is a contributing factor. Audit findings are one of the best real-world effectiveness evaluation data points you have — use them.
Citation Hook: Linking ISO 13485 training records directly to document revision history, CAPA outcomes, and internal audit findings creates a closed-loop competence management system that demonstrates systemic effectiveness rather than isolated compliance.
Special Populations: Who Else Needs Training Records?
Clause 6.2 applies to "persons performing work affecting product quality." Don't make the mistake of interpreting this too narrowly. The following groups are often overlooked and consistently challenged in audits:
Contract and Temporary Workers
Contractors are not exempt. If a temporary worker touches product, handles documentation, or performs any quality-critical task, you need competence records for them. Work with your staffing agency to obtain their qualifications and document any site-specific training you provide.
Suppliers and Outsourced Partners
When you outsource processes that affect product quality (e.g., sterilization, testing, manufacturing), Clause 7.4 governs supplier control — but competence of the supplier's personnel is part of what you should be evaluating in supplier qualification and audits.
New Employees During Onboarding
New hire orientation training is often well-documented. The gap I typically find is the transition period — the 30–90 days when a new employee is technically "trained" but operating under supervision. That supervised period should be documented, with clear criteria for when the individual is considered independently competent.
Personnel After Role Changes or Promotions
When someone changes roles — even internally — their competence profile resets to the requirements of the new role. I've seen numerous findings where a promoted employee was assumed to be competent based on their previous role without a formal gap assessment and retraining plan.
Building an Audit-Ready Training Program: A Practical Checklist
After working through hundreds of ISO 13485 audits and implementations, I've distilled the key elements of an audit-ready training program into a single checklist. Use this as a gap assessment tool.
Program Infrastructure
- [ ] Documented procedure for competence, training, and awareness (Clause 6.2.2)
- [ ] Role-based competence profiles for all quality-affecting positions
- [ ] Training matrix linking roles to required training events
- [ ] Defined training record format and storage location (electronic or paper)
- [ ] Record retention policy aligned with ISO 13485 Clause 4.2.5 (typically ≥5 years or product lifetime + 2 years)
Training Execution
- [ ] Training delivered against defined competence requirements (not just course catalogs)
- [ ] Training method appropriate to the competence being built
- [ ] Revision-level of documents referenced in training records
- [ ] Timely completion tracked and escalated when overdue
Effectiveness Evaluation
- [ ] Defined pass threshold for knowledge assessments (recommend ≥80%)
- [ ] Practical assessment checklists for hands-on roles
- [ ] Retraining and reassessment process for failures
- [ ] Level 3 behavioral indicators defined and tracked (error rates, audit findings, etc.)
System Integration
- [ ] Document change process triggers training events
- [ ] CAPA process includes training effectiveness verification when applicable
- [ ] Internal audit program evaluates training adequacy
- [ ] Management review includes training effectiveness as an input (Clause 5.6.2)
Common Nonconformances — and How to Avoid Them
Based on my audit experience and industry data, here are the most common ISO 13485 Clause 6.2 nonconformances and how to prevent them:
| Nonconformance | Root Cause | Prevention |
|---|---|---|
| No effectiveness evaluation documented | Training treated as "read and sign" | Add formal assessment to all training events |
| Training records reference wrong SOP revision | No link between doc control and training | Automate training triggers in your EDMS |
| Contractor training records missing | Contractors excluded from QMS scope | Expand scope to include all quality-affecting personnel |
| Competence profiles not defined for roles | Training matrix exists but competence profiles don't | Build role-based profiles as foundational documents |
| No retraining process for failures | Pass/fail not acted upon | Define and document the failure-response process |
| Management review doesn't include training data | Training siloed in HR | Add training KPIs to management review inputs |
| Training not updated after SOP revision | Reactive rather than systematic | Build document-training linkage into change control |
How Certify Consulting Approaches ISO 13485 Training Compliance
At Certify Consulting, we've developed a competence management framework that treats training not as a compliance checkbox, but as a quality system input. Our approach integrates role-based competence profiles, automated training triggers, multi-level effectiveness evaluation, and real-time KPI dashboards into a single, auditable system.
Across 200+ client engagements, we've maintained a 100% first-time audit pass rate — and training system design is one of the most significant contributors to that outcome. When your training program is structured correctly, it becomes one of the strongest evidence packages you can present to an auditor.
If your current training program generates records but not confidence, it's time to rethink the architecture.
Frequently Asked Questions
What is the difference between training and competence under ISO 13485?
Training is a mechanism for building competence; competence is the outcome. ISO 13485:2016 Clause 6.2.2 requires organizations to achieve and verify competence — not simply deliver training. An employee who has completed training but cannot demonstrate the required skill or knowledge is not yet competent under the standard.
How do you evaluate the effectiveness of training under ISO 13485?
Effectiveness evaluation must demonstrate that training achieved the intended competence. At minimum, this requires a knowledge or practical assessment with a defined pass threshold. Best practice includes tracking behavioral indicators (e.g., error rates, audit findings) to confirm on-the-job application over time.
How long must training records be retained under ISO 13485?
ISO 13485:2016 Clause 4.2.5 requires that quality records be retained for a period defined by the organization — typically at least 5 years from the date of training, or for the expected lifetime of the device plus 2 years, whichever is longer. Regulatory requirements (e.g., FDA 21 CFR Part 820, EU MDR) may impose additional retention obligations.
Do contractors and temporary workers need ISO 13485 training records?
Yes. If a contractor or temporary worker performs any activity that affects product quality, they fall within the scope of Clause 6.2. The organization must maintain records of their competence, including any site-specific training provided on-site.
What happens if an employee fails a training effectiveness assessment?
The organization must have a documented process for handling training failures. This typically includes mandatory retraining, a waiting period before reassessment, and supervisor review. The employee should not perform the quality-affecting task independently until competence is demonstrated. All steps must be recorded.
For more guidance on building a compliant, audit-ready QMS, see our resources on ISO 13485 documentation requirements and internal audit best practices.
Last updated: 2026-04-06
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.