ISO 13485 certification – how to prepare?

group of people having workshop on medical compliance standards and ISO 13485 certification for software as a medical device

Management Board engagement ISO 13485 certification

Decision on this scale is made somewhere on the management level. And, what’s important – this is not the end of the management board function. To develop an efficient quality system, it is crucial to have continuous support from the management board. To provide support, it’s important to involve the management board. They set the organization’s goals and communicate them to lower levels. And it is the management board which has the means necessary to appoint members (project team) which will prepare our system. These means are not only financial resources but also rights, time and support for the team.

Understanding of the requirements

It is necessary to be aware that ISO (not only 13485 but also others, such as 9001 or 27001) is not a list of instructions on what to do and how to work in order to pass the certification. It is a certain catalogue of practices and requirements which should be implemented in the organization in order to comply with the standard.

But actually how? This matter is not indicated in the standard. ISO is very logical. And so, by logic – there are too many organizations on the market acting in different ways, manufacturing different devices and taking advantage of different opportunities, so preparing a document which describes the way of implementing anything in every organization is impossible.

  • A competent team
  • That’s why our project team will read the ISO very thoroughly and check if we meet particular requirements. If a standard says that we have to manage the documentation – is it already happening? Do we know which documents are supervised? How? In which systems?
    Manufacturing of a medical device is only one part of the whole process. Before its design and prototyping, it will be necessary to hire staff who know how to do it (if they don’t – we have to train them); we may have to purchase some parts to use in our product (and we want to be sure that those parts meet our requirements, and that the supplier will not disappoint us). After that, we have to store the product somewhere, provide support to its users, analyse problems they report…

    As can be seen, our system refers to many departments of the organization and the project team will ask each of them many questions. It will be a kind of audit which will indicate differences between the current and target state.

    Implementation

    We already know what we miss in our activities. Now, it is necessary to devote some (much?) time for implementation of the processes, procedures which we yet don’t have but have to prepare. There you are – do we have to?

    If we haven’t been doing something so far and ISO forces us to do it, maybe ISO 13485 certification makes no sense? As in many cases, the answer is not so simple. Some processes are unnecessary if they don’t contribute to the end product. For example, if we don’t produce sterile products, we don’t need to maintain a sterile laboratory. Similarly, if our product is a computer program, we don’t need a physical storage space for it.

    Of course, in our Quality Book (the main document which we treat as a guide for our quality management system) there is a space to determine such areas. Although there are processes we don’t like to implement (such as managing documents and entries), there are also processes we already rely on for our business.

    How do we maintain these processes? How do we know, they work? Are all interested parties aware of how to perform their duties in accordance with these processes? These are some questions that must be answered. Better do it among us than during an audit.

  • The system exists to serve us, not the other way around
  • Does it all have to be so formal, thoroughly described, difficult and making the employees who hear “ISO” escape right away? I think not. At least, in most cases. We must remember that ISO 13485 certification does not indicate how to organize our activities. Thus, the standard is “flexible” – if we stick to the idea that the system is for us and not us for the system, it will change the perspective completely. Since we prepare documents in Word and upload them on the server, let’s think if it is compliant with ISO and if not, what must be done with it to comply. Let’s not resign from our work method and start printing all documents to store them on the shelf.

    Training

    Our project team will know how the system works. Some people asked for consultation or other type of support during implementation may also know. But the system refers to the organization as a whole. And it refers to different departments of our company in different degree. We have to make sure that our employees know what it means for them, how it influences their work and what is expected from them. This is where training will be helpful.

    A Power Point presentation? Webinar? A collection of entries on the company blog? The more efficiently we act there, the less problems will we encounter in the future. We already know, what will be the most effective (at least we think so at present) as we analysed which processes are necessary within the organization and what actually work. At last, everything start to click in place.

    It is necessary to be aware that ISO (not only 13485 but also others, such as 9001 or 27001) is not a list of instructions on what to do and how to work in order to pass the certification. - quote
    3….2….1…. ISO 13485 certification?

    Start! It is good to give our system some proving ground. In this way, we will know how it works in practice, what we missed, what we failed to forecast, and what people do not understand. We will have a chance to introduce corrections and to improve our system right away. How long should it last? I assume if someone has read up to this point, they will not expect an exact answer – but it is common for the system to be in operation in the organization for at least 3 months.

    Slowly but surely, arranging an audit with a notified authority (which is a sophisticated name for the company which will control us) can take a while (therefore it is worth making an arrangement in advance), so we will gain some time. There is nothing better affecting the imagination than a prearranged date.

    Internal audit

    If we already have something which seems to be functioning, now it’s time to say “Check”. This is the purpose of internal audits: to verify our assumptions about the system, knowing that not everything will function perfectly from the start (will it ever?). Audits may be helpful in identification of such defective areas.

    Who is responsible for conducting these audits? It is worthwhile to train a team of internal auditors. These will be people from the original project team. Of course, not everyone wants to be an auditor, and not everyone is cut out for it. Not everyone can perform audits on “everything” – it is necessary to ensure independence during these audits (even the internal ones – they are primarily for us in the first place), at least to some degree.

    What should we check? Auditors will know it best. But we can find many different check lists in the net, some of which are valuable – it is worth digging and finding something of our interest. If we have such opportunity, it is worth investing in an external auditor to perform the audit.

    My tiny suggestion at the end: in my opinion, an internal audit should be more demanding than an external one! The principle “the more you sweat in training, the less you bleed in battle” proves correct as well.

    Certifying audit

    A certifying audit consists of two parts, separated from one another by a period long enough to let our system “live”, allowing for collection of evidence for its efficiency.

    The choice of the notified authority which we ordered to perform the audit is not always irrelevant. It is worth selecting the one which we get along with and which hire auditors specializing in our field of activity (The audit will be more demanding? Maybe so. But the discussion will be more reasonable as well).

    On the prearranged date, the auditors enter the company and a discussion begins on the quality of our management system, which we think is reliable at this stage…

    Good luck!

    #healthcare technology #medical device #medical software solution #medtech

     

    Sources:

    [1] https://www.iso.org/standard/59752.html