The organization must review the requirements related to the product. This review would be conducted before committing to supply the product. While reviewing the product's requirements, the organization must refer to the next issues:

The Review of requirements process in simple words includes:

• Accepting a request for an offer from the customer.
• Understanding the customer's needs and reviewing whether the organization is capable to supply the product (considering all parameters) according to the customer's and regulatory requirements.
• Delivering an offer based upon the request
• Accepting approval for the same offer or accepting an order based on the price quote

This is the process required by the standard (the 9001 or the 13485) in general. It was defined in general because every organization must make its own adaptations. But the main idea stands on; accepting a request from the customer to provide him the product or identifying a need, reviewing the request (or need), examining whether the organization may supply the needs (both from regulatory aspects and the ability to deliver the requirements), delivering an offer and getting the approval from the customer. Nothing is new; it has been done so for a long long time ago. Your Quality management system must obtain all of the above (relax; most of you are already there without being aware…)

Now, the ISO 13485 requires documentation. The ISO 9001 requires "only" defining the process of reviewing the requirements: delivering an offer for a product, accepting a contract or an order and updating it where required. The review must be performed by relevant defined parties (for example, throughout a job description). The 13485 on the other hand, requires documenting the definition of the process: flow charts, procedures, work instructions etc. I actually recommend it too. It would gather and deliver you valuable information. Especially for follow ups and statistical analysis. The ISO 13485 does not require at this stage to gather information about your customers either. I recommend It though. Soon you would understand why. Also I recommend managing the requests by status (just that you would know where you stand).

The review shall also include a risk analysis; the organization must analyze where and when the possibility for a failure hangs and how the organization can avoid it. It needs not to be complicated (depends, off course, on the nature of your organization). Risk analysis may consist the next steps:

• Delivering the offer (or the request for the offer) for examination whether the organization can provide the device including examination of special requirements
• Performing the examination for the customer's specifications and quality requirements
• Approval of ability to produce the device

Risk analysis really depends on the nature of your medical device. Some of you would be required to perform a comprehensive and detailed risk analysis during this stage and some of you would be required to fill out "only" a short form. Not that I have anything against forms…  In any case you may turn to the ISO 14791 for risk management. There you will find more specific answers about the process of risk analysis. It is a complicated subject on itself…

Well, what is required to document?
Let's get down to details. First, it is required defining who is responsible for receiving this request and how (by mail, fax, a phone call, etc). Second, you should also define which information would be gathered and where this information would be recorded (on a form, an excel chart or on your ERP system). Next step is to document the process itself: forms or your information system, for example. The difference is resulted by the need to control the requirements for reviewing the process and to introduce it to a well maintained method. No details would be left unattended. Details left unattended would generate unsatisfied customers, but more important, some regulatory requirements may be left unfulfilled. And god forbidden, we would not want any of that! The requirement for documenting covers also cases where the customer may request changes.  A well controlled process would assure the review and the evaluation of any request for a change. Bear in mind. Medical devices are manufactured under harsh regulatory requirements. Peoples' life may depend on these medical devices. Any requested change throughout the product must be reviewed and assured that the change requested is according to the standards. Documenting the whole procedure may bring the organization to this level of control.