#

ISO 13485

Medical Devices

What is ISO 13485 certification?

“ISO 13485 Certified” means an organization has implemented an ISO 13485 Quality Management System and has successfully met all of the requirements in ISO 13485. ISO 13485 evaluates whether your Quality Management System is appropriate and effective while emphasizing the safety and efficacy of medical devices. ISO 13485 was written to support medical device manufacturers in designing quality management systems that establish and maintain the effectiveness of their processes. It ensures the consistent design, development, production, installation, and delivery of medical devices that are safe for their intended purpose.

What are the benefits of ISO 13485 Certification?

Companies that have implemented ISO 13485 cite numerous benefits. Many companies seek the ISO 13485:2016 Certification because of the financial benefits to their business. The certification demonstrates its commitment to building high-quality medical devices. That allows companies to attract more clients than before. Additional of the other benefits of implementing ISO 13485:2016 Certification include: 1. Ability to Contract with Larger Companies Many large medical device companies prefer to work with who are ISO 13485 certified suppliers. The large companies are responsible for ensuring that any subcontractors comply with ISO 13485 standards. This means that subcontractors who have already certified will likely have priority. 2. Demonstrate Commitment to High Quality Both ISO 13485 and ISO 9001 are considers as indicators of an organization’s commitment to quality. Achieving a quality management certification demonstrates to customers that your company appreciates quality. 3. Expand Potential Market ISO 13485 Standard has been created to ensure that medical devices in different positions demonstrate the same reliability and quality. If you are thinking of exporting products, ISO 13485 Certification can offer an advantage. 4. Help Staff Access Relevant Information The requirements of ISO 13485:2016 Documentation are designed to ensure that all members of a development team have access to the information they need, when they need it. Having access to the right information can reduce the time and expense associated with product development. 5. Expand and Consolidate Company Knowledge We also know from customer that process of ISO 13485:2016 documentation associated with their medical device helps the company develop a consolidated knowledge base. This knowledge can help to identify problems, improve the product, and simplify the production process. It also facilitates the process of incorporating new employees.

What are the requirements of ISO 13485 certification?

ISO 13485:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and regulatory requirements. Such organizations can be involved in one or more stages of the life cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development, or provision of associated activities such as technical support. ISO 13485:2016 can also be used by suppliers or external parties that provide products, including quality management system-related services to such organizations. Step 1 Planning the quality system Section 5.4.2 of ISO 13485 includes a quality planning requirement. Writing a quality manual is not sufficient, you need documented quality plans for implementing changes to your quality management system. There is no required format for quality plans, though spreadsheets and Gantt Charts are the most common tools. As part of your quality plan, you should select an ISO consultant. You are allowed to have a different ISO consultant for each location, but I don’t recommend it. Selecting one partner for all your locations saves time and money. The standard requires that the ISO consultant must be experienced in your sector/industry-specific business. To select a certification agent, first you need to complete an application form and request a quote. The selection of your ISO agent is also an opportunity to create a record of supplier qualification. Most quality managers contact a certification agent they worked with in the past or ask a friend for a referral. I recommend neither approach. Step 2 Meeting regulatory requirements While developing your quality plan, U.S. medical device companies must comply with FDA 21 CFR 820. Step 3 Implementing design controls Most clients have already implemented design controls so, that lies outside the scope of this article. Step 4 Documents, records, and training One of the requirements for a quality manual is to define the process interactions for your quality system. This is typically done by creating a process interactions diagram. The classical template for this diagram has three levels. Bottom row – Support processes such as document control and training Middle row – Core processes such as purchasing, production, and shipping Top row – Management processes Each of these levels will have associated procedures, and these procedures will need to be controlled. Therefore, the document control procedure should be the first procedure you write to serve as the foundation for the entire quality system. When you approve this procedure, you will also want to approve any design control procedures and forms you have developed. Any approval documents will be controlled as quality records, so your record control procedure might be one of your first approved procedures. Once you have approved procedures for document control, record control, and design control, you will need to start documenting training on these procedures. Deciding how to document training is important. You need to document training, effectiveness of training, and competency. Once you have a training process, you are now ready to start writing the remaining procedures. There are 19 required procedures in ISO 13485, and there will probably be another five or six procedures required by various national regulations. As you write each procedure, write the corresponding section of your quality manual. This allows your manual to grow organically over time, and the manual will reflect what you actually do – instead of copying directly from the standard. After a few months, you should be done writing all of your procedures, and your manual should be about 75% complete. The remaining sections of the manual can be filled in clause by clause. Step 5 Management processes The latest version of ISO places a heavy emphasis on risk management and requires that organizations consider potential hazards in their operating environment as well as their quality management system – and then take proactive steps to minimize identified risks. At the high-level, ISO 13485:2016 places an emphasis on the integration of risk management with business processes. The primary management processes are: corrective and preventative actions (CAPA), internal auditing, and management review. I recommend implementation of these management processes after most of the other processes have been implemented. But you may decide to implement the CAPA process and/or management reviews earlier as tools to help manage your business. I recommend a specific sequence of implementation for these three management processes when preparing for ISO 13485 certification: First – Implement internal auditing. During the internal auditing process, as a consultant, I typically help clients (quality manager) perform this internal audit, and we look at all processes with the exception of CAPA and management review – which have not been implemented yet. This gives me an opportunity to supplement your auditor training – if needed. Internal auditing always identifies some areas of weakness that are documented as nonconformities. These nonconformities are then used to implement the CAPA process as the first corrective and preventive actions. During the internal audits, you look for trends that may lead to future problems. This proactive approach is the best source of preventive actions; you will identify important metrics for each process. Second – Conduct your first management review. The requirements are simple and take up less than a page in the ISO 13485 standard. Therefore, help yourself by creating a management review template that includes each requirement on a separate slide. Put this template under document control. Don’t delete any of the slides when you are preparing a management review. Third – Audit. Have an independent person perform an audit of the internal auditing, CAPA, and management review. This internal audit may be performed by a consultant if someone within the company is not qualified. This audit may also be done completely as a remote audit, because the management representative for the company is the primary person you need to interview and all the records should be easy to email and discuss over the phone. Once you have completed this audit and written corrective action plans for any findings, then you are ready for the Stage 1 certification audit. Step 6 The Certification audit For certification audits, ISO 13485:2016 requires that a Stage 1 and Stage 2 audit be conducted by sector/industry – specific personnel and ISO agent. Historically, the certification process would begin with a desktop audit of procedures. The problem with this approach is that some companies did not have records to verify that the systems were fully implemented. The new two-stage process now includes a review of records from the internal auditing, CAPA, and management review processes during Stage 1. This is why Step 5 must be completed before the Stage 1 certification audit. The Stage 1 audit is typically a one-day audit. At the end, you receive a report indicating positive and negative findings. The auditor also indicates if your company is ready for Stage 2. Negative findings, or nonconformities, require corrective action plans to be submitted and accepted. Depending upon the timing of the Stage 2 audit, it may not be possible to fully implement corrective actions prior to the second stage. I recommend four weeks between the two stages so that minor issues can be completely resolved and there is sufficient evidence of progress for 100% of the issues identified during Stage 1. The Stage 2 audit may involve multiple auditors and multiple days. During this audit, all the remaining processes in your quality system will be audited. The absence of a major requirement can prevent a recommendation for certification by the auditor. Usually the auditor will identify a few additional issues that require corrective action, but if the issues are minor, only corrective action plans will be required. If issues are major, the auditor may need to return for to verify that the issues are resolved before they can recommend certification. In order to ensure that the stage one audit proceeds smoothly, the following documents and records should be prepared in advance: Quality manual Company organization chart Controlled list of procedures Internal auditing procedure CAPA procedure Management review procedure Internal audit schedule CAPA log Management review minutes Once the auditor completes his report and recommends certification, he must review and accept your corrective action plans for each of the Stage 2 findings. Upon acceptance of the corrective action plans, there will be an internal review of all documentation by the certification agent. The final certificate is typically issued within about a month of accepting the corrective action plans.