ISO 13485 certification – how to prepare?
By: Mateusz Knyć
You want to deliver a software solution compliant with medical standards. A decision has been made to get ISO 13485 certification in our organization. We assume this is the right (who says no to ISO!) and informed (we will prepare some procedures, or buy it, if necessary!) decision.
But first things first.
Management Board engagement ISO 13485 certification
Decision on this scale is made somewhere on the management level. And, what’s important – this is not the end of the management board function. An efficient quality system can be developed only with the continuous support of the management board. And support can be developed through engagement of the management board – it is the management board that determines the purposes of the organization and transfers them down to the lower levels of the organization. And it is the management board which has the means necessary to appoint members (project team) which will prepare our system. These means are not only financial resources but also rights, time and support for the team.
Understanding of the requirements
It is necessary to be aware that ISO (not only 13485 but also others, such as 9001 or 27001) is not a list of instructions on what to do and how to work in order to pass the certification. It is a certain catalogue of practices and requirements which should be implemented in the organization in order to comply with the standard.
But actually how? This matter is not indicated in the standard. ISO is very logical. And so, by logic – there are too many organizations on the market acting different ways, manufacturing different devices and taking advantage of different opportunities, so preparing a document which describes the way of implementing anything in every organization is impossible.
That’s why our project team will read the ISO very thoroughly and check if we meet particular requirements. If a standard says that we have to manage the documentation – is it already happening? Do we know which documents are supervised? How? In which systems?
Manufacturing of a medical device is only one part of the whole process. And prior to its design and prototyping, it will be necessary to hire staff who knows how to do it (if they don’t – we have totrain them); we may have to purchase some parts to use in our product (and we want to be sure that those parts meet our requirements, and that the supplier will not disappoint us). After that, we have to store the product somewhere, provide support to its users, analyse problems they report…
As can be seen, our system refers to many departments of the organization and the project team will ask each of them many questions. It will be a kind of audit which will indicate differences between the current and target state.
We already know what we miss in our activities. Now, it is necessary to devote some (much?) time for implementation of the processes, procedures which we yet don’t have but have to prepare. There you are – do we have to? If we haven’t been doing something so far and ISO forces us to do it, maybe ISO 13485 certification makes no sense? As in many cases, the answer is not so simple. Indeed, some processes won’t be conducted (we don’t need a sterile laboratory which must be taken care of if we don’t produce sterile products) or will be conducted in part (if our product is a computer program, we won’t need a place to store it). Of course, in our Quality Book (the main document which we treat as a guide for our quality management system) there is a space to determine such areas. But, there are also processes which must be implemented, much as we would not like to do it (starting with managing documents and entries) and those which we are already basing on, as they refer to our business.
How do we maintain these processes? How do we know, they work? Does each person interested is aware of how their duties should be performed in accordance with these processes? These are some question to which answers must be found. Better do it among us than during an audit.
Does it all have to be so formal, thoroughly described, difficult and making the employees who hear “ISO” escape right away? I think not. At least, in most cases. We must remember that ISO 13485 certification does not indicate how to organize our activities. Thus, the standard is “flexible” – if we stick to the idea that the system is for us and not us for the system, it will change the perspective completely. Since we prepare documents in Word and upload them on the server, let’s think if it is compliant with ISO and if not, what must be done with it to comply. Let’s not resign from our work method and start printing all documents to store them on the shelf.
Our project team will know how the system works. Some people asked for consultation or other type of support during implementation may also know. But the system refers to the organization as a whole. And it refers to different departments of our company in different degree. We have to make sure that our employees know what it means for them, how it influences their work and what is expected from them. This is where training will be helpful.
A Power Point presentation? Webinar? A collection of entries on the company blog? The more efficiently we act there, the less problems will we encounter in the future. We already know, what will be the most effective (at least we think so at present) as we analysed which processes are necessary within the organization and what actually work. At last, everything start to click in place.
3….2….1…. ISO 13485 certification?
Start! It is good to give our system some proving ground. In this way, we will know how does it work in practice, what we missed, what we failed to forecast, what people do not understand. We will have a chance to introduce corrections and to improve our system right away. How long should it last? I assume if someone has read up to this point, they will not expect an exact answer – but it is common for the system to be in operation in the organization for at least 3 months.
Slowly but surely, arranging an audit with a notified authority (which is a sophisticated name for the company which will control us) can take a while (therefore it is worth making an arrangement in advance), so we will gain some time. There is nothing better affecting the imagination than a prearranged date.
If we already have something which seems to be functioning, now it’s time to say “Check”. This is the purpose of internal audits in which our assumptions regarding the system are verified – it is expected that not everything will function perfectly right away (will it ever?). Audits may be helpful in identification of such defective areas.
And who is supposed to perform such audits? It is worthwhile to train a team of internal auditors. These will be people from the original project team. Of course, not everyone wants to be an auditor, and not everyone is cut out for it. And not everyone can perform audits on “everything” – it is necessary to ensure independence during these audits (even the internal ones – they are primarily for us in the first place), at least in some degree.
What should we check? Auditors will know it best. But we can find many different check lists in the net, some of which are valuable – it is worth digging and finding something of our interest. If we have such opportunity, it is worth investing in an external auditor to perform the audit.
My tiny suggestion at the end: in my opinion, an internal audit should be more demanding than an external one! The principle “the more you sweat in training, the less you bleed in battle” proves correct as well.
A certifying audit consists of two parts, separated from one another by a period long enough to let our system “live”, allowing for collection of evidence for its efficiency. The choice of the notified authority which we ordered to perform the audit is not always irrelevant. It is worth selecting the one which we get along with and which hire auditors specializing in our field of activity (The audit will be more demanding? Maybe so. But the discussion will be more reasonable as well).
On the prearranged date, the auditors enter the company and a discussion begins on the quality of our management system, which we think is reliable at this stage…
Contact us if you have any questions!
See the previous post: Outsourcing vs in-house software development