ISO 13485:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and regulatory requirements. Such organizations can be involved in one or more stages of the life cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development, or provision of associated activities such as technical support. ISO 13485:2016 can also be used by suppliers or external parties that provide products, including quality management system-related services to such organizations.
Learn more about the six steps to certification and then fill out the free business assessment questionnaire https://goo.gl/d9HVjm to see where your company stands and where to start for ISO implementation and certification.
Planning the quality system
Section 5.4.2 of ISO 13485 includes a quality planning requirement. Writing a quality manual is not sufficient, you need documented quality plans for implementing changes to your quality management system. There is no required format for quality plans, though spreadsheets and Gantt Charts are the most common tools.
As part of your quality plan, you should select an ISO consultant. You are allowed to have a different ISO consultant for each location, but I don’t recommend it. Selecting one partner for all your locations saves time and money. The standard requires that the ISO consultant must be experienced in your sector/industry-specific business.
To select a certification agent, first you need to complete an application form and request a quote. The selection of your ISO agent is also an opportunity to create a record of supplier qualification. Most quality managers contact a certification agent they worked with in the past or ask a friend for a referral. I recommend neither approach.
Meeting regulatory requirements
While developing your quality plan, U.S. medical device companies must comply with FDA 21 CFR 820.
Implementing design controls
Most clients have already implemented design controls so, that lies outside the scope of this article.
Documents, records, and training
One of the requirements for a quality manual is to define the process interactions for your quality system. This is typically done by creating a process interactions diagram. The classical template for this diagram has three levels.
- Bottom row – Support processes such as document control and training
- Middle row – Core processes such as purchasing, production, and shipping
- Top row – Management processes
Each of these levels will have associated procedures, and these procedures will need to be controlled. Therefore, the document control procedure should be the first procedure you write to serve as the foundation for the entire quality system. When you approve this procedure, you will also want to approve any design control procedures and forms you have developed. Any approval documents will be controlled as quality records, so your record control procedure might be one of your first approved procedures.
Once you have approved procedures for document control, record control, and design control, you will need to start documenting training on these procedures. Deciding how to document training is important. You need to document training, effectiveness of training, and competency. Once you have a training process, you are now ready to start writing the remaining procedures. There are 19 required procedures in ISO 13485, and there will probably be another five or six procedures required by various national regulations.
As you write each procedure, write the corresponding section of your quality manual. This allows your manual to grow organically over time, and the manual will reflect what you actually do – instead of copying directly from the standard. After a few months, you should be done writing all of your procedures, and your manual should be about 75% complete. The remaining sections of the manual can be filled in clause by clause.
The latest version of ISO places a heavy emphasis on risk management and requires that organizations consider potential hazards in their operating environment as well as their quality management system – and then take proactive steps to minimize identified risks. At the high-level, ISO 13485:2016 places an emphasis on the integration of risk management with business processes.
The primary management processes are: corrective and preventative actions (CAPA), internal auditing, and management review. I recommend implementation of these management processes after most of the other processes have been implemented.
But you may decide to implement the CAPA process and/or management reviews earlier as tools to help manage your business.
I recommend a specific sequence of implementation for these three management processes when preparing for ISO 13485 certification:
First – Implement internal auditing. During the internal auditing process, as a consultant, I typically help clients (quality manager) perform this internal audit, and we look at all processes with the exception of CAPA and management review – which have not been implemented yet. This gives me an opportunity to supplement your auditor training – if needed.
Internal auditing always identifies some areas of weakness that are documented as nonconformities. These nonconformities are then used to implement the CAPA process as the first corrective and preventive actions. During the internal audits, you look for trends that may lead to future problems. This proactive approach is the best source of preventive actions; you will identify important metrics for each process.
Second – Conduct your first management review. The requirements are simple and take up less than a page in the ISO 13485 standard. Therefore, help yourself by creating a management review template that includes each requirement on a separate slide. Put this template under document control. Don’t delete any of the slides when you are preparing a management review.
Third – Audit. Have an independent person perform an audit of the internal auditing, CAPA, and management review. This internal audit may be performed by a consultant if someone within the company is not qualified. This audit may also be done completely as a remote audit, because the management representative for the company is the primary person you need to interview and all the records should be easy to email and discuss over the phone. Once you have completed this audit and written corrective action plans for any findings, then you are ready for the Stage 1 certification audit.
The Certification audit
For certification audits, ISO 13485:2016 requires that a Stage 1 and Stage 2 audit be conducted by sector/industry – specific personnel and ISO agent.
Historically, the certification process would begin with a desktop audit of procedures. The problem with this approach is that some companies did not have records to verify that the systems were fully implemented. The new two-stage process now includes a review of records from the internal auditing, CAPA, and management review processes during Stage 1. This is why Step 5 must be completed before the Stage 1 certification audit.
The Stage 1 audit is typically a one-day audit. At the end, you receive a report indicating positive and negative findings. The auditor also indicates if your company is ready for Stage 2. Negative findings, or nonconformities, require corrective action plans to be submitted and accepted. Depending upon the timing of the Stage 2 audit, it may not be possible to fully implement corrective actions prior to the second stage. I recommend four weeks between the two stages so that minor issues can be completely resolved and there is sufficient evidence of progress for 100% of the issues identified during Stage 1.
The Stage 2 audit may involve multiple auditors and multiple days. During this audit, all the remaining processes in your quality system will be audited. The absence of a major requirement can prevent a recommendation for certification by the auditor. Usually the auditor will identify a few additional issues that require corrective action, but if the issues are minor, only corrective action plans will be required. If issues are major, the auditor may need to return for to verify that the issues are resolved before they can recommend certification.
In order to ensure that the stage one audit proceeds smoothly, the following documents and records should be prepared in advance:
- Quality manual
- Company organization chart
- Controlled list of procedures
- Internal auditing procedure
- CAPA procedure
- Management review procedure
- Internal audit schedule
- CAPA log
- Management review minutes
Once the auditor completes his report and recommends certification, he must review and accept your corrective action plans for each of the Stage 2 findings. Upon acceptance of the corrective action plans, there will be an internal review of all documentation by the certification agent. The final certificate is typically issued within about a month of accepting the corrective action plans.
Lewis Yasenchak of P&Y Management Resources is a quality and regulatory consultant with 25 years of experience developing products and managing projects in the medical device supply chain, and pharmaceutical industries. His experience includes research, product development, operations management, manufacturing engineering, equipment design, regulatory affairs, and quality assurance. Yasenchak’s passion is training others. Specific questions about ISO 13485 certification or quality system training can be directed to Yasenchak at firstname.lastname@example.org.