If you’ve been working your way through the QMSR and ISO 13485 in order — and if you have, you have my respect — you’ve probably noticed that the clauses have been getting more substantial. Clause 4.2 sorted out your paperwork. Clause 5 reminded your CEO that the quality policy isn’t a one-time exercise. Clause 6 turned training into competence records. Clause 7.3 rebuilt design controls. Clause 7.4 took purchasing seriously for the first time.
Now we arrive at Clause 7.5: Production and Service Provision. Eleven subclauses, sprawling across everything that happens between “the design is locked” and “the device is in the customer’s hands.” If you sat down with a copy of the old QSR and tried to map which subparts §7.5 replaced, your list would include — at minimum — most of Subparts F, G, and L, with bits of H and K thrown in for good measure. It is a lot. Let’s walk through it.
What §7.5 Actually Covers
Clause 7.5 contains eleven subclauses, which is more than any other clause in ISO 13485. Here’s the highlight reel:
7.5.1 Control of production and service provision is the workhorse — your basic production controls, work instructions, monitoring of process parameters, defined criteria for workmanship. This is what most people think of when they hear “production and process controls.” It replaced §820.70, which was one of FDA’s most frequently cited sections under the old QSR — more than 2,600 citations between 2008 and 2025. Now you’ll be cited under §7.5.1 instead. Progress.
7.5.2 Cleanliness of product requires documented cleanliness requirements where contamination matters. The old QSR mentioned cleanliness almost in passing in §820.70(e); ISO gives it its own subclause and asks you to define the requirements specifically.
7.5.3 Installation activities and 7.5.4 Servicing activities roughly correspond to §820.170 and §820.200, respectively. Note that the servicing records requirement isn’t fully here — FDA carved part of it back out and reinforced it in §820.35(b), where they spelled out the specific data points (device name, UDI, date, who serviced, what was done, test data).
7.5.5 covers particular requirements for sterile medical devices. 7.5.6 is process validation generally — the “if you can’t fully verify the output, you have to validate the process” rule. 7.5.7 is the specific requirement to validate processes for sterilization and sterile barrier systems. Yes, sterile barrier validation now has its own subclause. FDA spent years citing manufacturers for getting this wrong under §820.75. ISO 13485 decided to spell it out so nobody can pretend they didn’t see it.
7.5.8 Identification, 7.5.9 Traceability, 7.5.10 Customer property, and 7.5.11 Preservation of product handle the rest of the lifecycle on the floor.
What Changed from the Old QSR
The structural change is the obvious one: the old QSR had a discrete subpart for production controls (G), another for identification and traceability (F), another for handling and storage and installation and servicing (L). ISO 13485 pulls all of that into one clause, with subclauses that mostly map cleanly to the old sections. Mostly. A few specific changes are worth flagging.
Customer property is new. The old QSR didn’t really have an equivalent to §7.5.10. If you receive components, fixtures, intellectual property, or patient-specific inputs from a customer — for example, if you manufacture a patient-matched implant from a customer’s surgical plan, or assemble a device from customer-furnished tooling — you now have a documented obligation to identify, protect, and notify the customer if anything happens to it. Many U.S. manufacturers have been quietly doing this anyway; now it’s a clause your auditor will look for. If you genuinely don’t receive customer property, write that down too — a one-line statement of non-applicability is better than nothing in the procedure.
Sterile barrier validation gets its own subclause. Under the old QSR, sterilization and sterile barrier validation lived inside the general §820.75 process validation language, and FDA enforcement filled in the gaps. Under ISO, §7.5.7 names them specifically, with requirements tied to applicable standards. This isn’t really a substantive change in expectations so much as a strong hint about what auditors will ask about. “Show me the validation report for your sterile barrier system” is now a sentence with a clause number attached.
Identification, traceability, and labeling come with FDA carve-outs. Clause 7.5.8 says “the organization shall identify the product.” §820.10(b)(1) says “and you’ll do it using UDI per Part 830.” Clause 7.5.9.1 (Traceability—General) gets a similar treatment via §820.10(b)(2) and Part 821. And §820.10(d) does something subtler with §7.5.9.2 — extending its “implantable” traceability requirements to devices that support or sustain life, even if they aren’t implants. That cross-reference is sneakier than it sounds and deserves its own walkthrough: here’s the deeper dive on what counts as life-sustaining and how to write a non-applicability statement that holds up under the QMSR.
What to Actually Do
If you came from the old QSR world, your production controls almost certainly already address most of §7.5. The work is in the seams. Before your next audit, walk your procedures against the eleven subclauses, not just the old subpart structure. Make sure §7.5.10 (customer property) is addressed even if it’s a single sentence of non-applicability. Confirm that your sterile barrier validation is documented as such, not buried inside a general process validation procedure. And check whether your §7.5.9.2 non-applicability statement is built for ISO 13485 alone or for the QMSR — those are not the same document.
It’s a long clause. The good news is that most of what it asks for is what you were already doing. The bad news is that “most” is not “all,” and an FDA inspector reading from an ISO 13485 checklist will know exactly where the gaps tend to live.
Next time: §7.6, on the monitoring and measuring equipment that does the work of telling you whether all of the above is going right. It’s much shorter. I promise.