It is all too easy to dive into the list of requirements contained within the ISO 13485 and achieve compliance by just ticking the boxes: looking at one requirement or one area at a time and making sure you have put in place something to address that requirement. This may easily result in a quality system that feels like a patchwork. Compliant, perhaps, but most certainly awkward and difficult to sustain.
The second most common mistake is to not ask yourself how software tools can help in setting up the quality system. “We already have MS Word, MS Excel, email, and we can always print a document and have it signed.” This is only a solution if you think that the quality system is a one-off activity. In the longer run, the system turns out to be a constant struggle with non-integrated elements that have no cohesion.
A better way to address compliance is to:
  1. Accept the fact that the quality system is a long term commitment and that it is very demanding.
  2. Assume that the right software tools do help.
  3. Think strategically, reviewing the whole standard, and try to identify the different areas, in respect to what type of software would help address those.

Real life example: A company maintains an Excel list of all corrective actions. The date of effectiveness check is filled in manually. A QA engineer needs to review the Excel spreadsheet once a week to identify which effectiveness checks are due. Last audit revealed that in most cases, effectiveness checks were not followed up.
Real life question: Meetings and other events are registered in a calendar and you are reminded when they are due. Wouldn’t it be easier if effectiveness checks due dates were also linked to a calendar? Putting those dates in Excel does not make more sense than putting your meetings in Excel…..

What follows is how we can divide the ISO-13485(2003 and 2012) in regard to the type of software features which can help us. You do not need to be an IT expert to follow the logic or the explanation – if you know the standard and see my examples hopefully you will get the idea.
In any case, I put here the complete mapping of the ISO into the different categories I describe. I also mention the main Atlassian tools we use to address each area. In future posts we will dive deeper into each of those categories and provide more details on exactly how we achieve easy and sustainable, compliance.
So, as promised, these are the various categories that appear in the ISO 13485:
  1. Document management: These are the various requirements relating to the procedures, manuals, and device related documents you need to have, and how they should be handled within the organization. The ISO elaborates in quite a detailed manner about how the controlled documents needs to be approved, who should access them, etc. Confluence is the key tool we use to handle all these requirements.
  2. Procedures and records are the evidence that the organization lives up to its quality system: The various procedures and work instructions should be followed consistently on a daily basis, forms or other records should be collected as evidence. Some examples (with reference to the standard section):
    • Training( 6.2.2).
    • Customer complaints: (8.5.1).
    • Corrective and preventive actions: (8.5.2, 8.5.3)
    • Subcontractor approvals( 7.4.1)
    • Purchasing forms( 7.4.1).

Those records may be created as electronic or physical paper forms which need to be completed by the authorized person. However, a much better way is to implement an automatic workflow that makes it easier for the team to create, follow, and document all the various tasks they need to do. Such a workflow can automatically schedule tasks, remind and alert, thus triggering better compliance to the quality system and at the same time automatically creating the required records. This is a double win. JIRA® is our tool of choice and it provides a state-of-the-art solution to everything related to forms and workflows.

  1. Design control: Some of the issues covered by section 7 of the ISO 13485 require quite advanced control along several phases of design and development. The risk mitigation measures and the product requirements should be, for example, verified in the product verification stage. This verification, or the test file, could be written as a simple Word or Excel document, but a far better implementation is to create it within JIRA. The advantage of JIRA here is the various reporting that it allows once the data is in and the fact that it can connect directly into the work scheduling of the various team members. JIRA is the principal tool we use for design control. Confluence can be used in some advanced implementations. If the medical device involves software, then the development suite from Atlassian can be implemented to provide a complete software life cycle management suite.
  2. Manufacturing and product traceability: Some requirements relate to your manufacturing setup. Depending on the scale and type of manufacturing, specialized ERP may be the best option. When manufacturing is more basic and does not call for a full blown manufacturing facility, JIRA can handle the requirements of the standard.
  3. Monitoring and improving: A key theme of the standard is the need of the organization to measure and improve (for example, section 8.2.3). The nice thing is that the framework we have put in place to support the other categories, if done correctly, should provide us with the reports, alerts, and statistics we need. Indeed, all the processes we have implemented in JIRA, as well as the various elements we have implemented in Confluence, may easily be collected and displayed in practically endless variations of reports and dashboards.
Requirement (Article)Requirement type
4.Quality management system – 1.General requirementsNon specific
4.Quality management system – 2.Documentation requirements – 1.GeneralDocument management
4.Quality management system – 2.Documentation requirements – 2.Quality manualDocument management
4.Quality management system – 2.Documentation requirements – 3.Control of documentsDocument management
4.Quality management system – 2.Documentation requirements – 4.Control of recordsProcedures and records
5.Management responsibility – 1.Management commitmentDocument management
5.Management responsibility – 2.Customer focusNon specific
5.Management responsibility – 3.Quality policyMonitoring and ongoing improvement
5.Management responsibility – 4.Planning – 1.Quality objectivesMonitoring and ongoing improvement
5.Management responsibility – 4.Planning – 2.Quality management system planningMonitoring and ongoing improvement
5.Management responsibility – 5.Responsibility, authority and communication – 1.Responsibility and authorityDocument management
5.Management responsibility – 5.Responsibility, authority and communication – 2.Management representativeMonitoring and ongoing improvement
5.Management responsibility – 5.Responsibility, authority and communication – 3.Internal communicationMonitoring and ongoing improvement
5.Management responsibility – 6.Management review – 1.GeneralMonitoring and ongoing improvement
5.Management responsibility – 6.Management review – 2.Review inputMonitoring and ongoing improvement
5.Management responsibility – 6.Management review – 3.Review outputMonitoring and ongoing improvement
6.Resource management – 1.Provision of resourcesNon specific
6.Resource management – 2.Human resources – 1.GeneralProcedures and records
6.Resource management – 2.Human resources – 2.Competence, awareness and trainingProcedures and records
6.Resource management – 3.InfrastructureManufacturing and product traceability
6.Resource management – 4.Work environmentNon specific
7.Product realization – 1.Planning of product realizationDesign control
7.Product realization – 2.Customer-related processes – 1.Determination of requirements related to the productDesign control
7.Product realization – 2.Customer-related processes – 2.Review of requirements related to the productDesign control
7.Product realization – 2.Customer-related processes – 3.Customer communicationDesign control
7.Product realization – 3.Design and development – 1.Design and development planningDesign control
7.Product realization – 3.Design and development – 1.Design and development inputDesign control
7.Product realization – 3.Design and development – 3.Design and development outputsDesign control
7.Product realization – 3.Design and development – 4.Design and development reviewDesign control
7.Product realization – 3.Design and development – 5.Design and development verificationDesign control
7.Product realization – 3.Design and development – 6.Design and development validationDesign control
7.Product realization – 3.Design and development – 7.Control of design and development changesDesign control
7.Product realization – 4.Purchasing – 1.Purchasing processProcedures and records
7.Product realization – 4.Purchasing – 2.Purchasing informationProcedures and records
7.Product realization – 4.Purchasing – 3.Verification of purchased productProcedures and records
7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 1.General requirementsProcedures and records
7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2.Control of production and service provision: Specific requirements – 1.Cleanliness of product and contamination controlManufacturing and product traceability
7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2.Control of production and service provision: Specific requirements – 2.Installation ativitiesProcedures and records
7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2. – 3.Servicing activitiesProcedures and records
7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 3.Particular requirements for sterile medical devicesManufacturing and product traceability
7.Product realization – 5.Production and service provision – 2.Validation of processes for production and service provision – 1.General requirementsManufacturing and product traceability
7.Product realization – 5.Production and service provision – 2.Validation of processes for production and service provision – 2.Particular requirements for sterile medical devicesManufacturing and product traceability
7.Product realization – 5.Production and service provision – 3. Identification and traceability – 1.IdentificationManufacturing and product traceability
7.Product realization – 5.Production and service provision – 3. Identification and traceability – 2.Traceability – 1.GeneralManufacturing and product traceability
7.Product realization – 5.Production and service provision – 3. Identification and traceability – 2.Particular requirements for active implantable medical devices and implantable medical devicesManufacturing and product traceability
7.Product realization – 5.Production and service provision – 3. Identification and traceability – 3.Status identificationManufacturing and product traceability
7.Product realization – 5.Production and service provision – 4.Customer propertyNon specific
7.Product realization – 5.Production and service provision – 5.Preservation of productProcedures and records
7.Product realization – 6.Control of monitoring and measuring devicesManufacturing and product traceability
8.Measurement, analysis and improvement – 1.GeneralMonitoring and ongoing improvement
8.Measurement, analysis and improvement – 2.Monitoring and measurement – 1.FeedbackMonitoring and ongoing improvement
8.Measurement, analysis and improvement – 2.Monitoring and measurement – 2.Internal auditProcedures and records
8.Measurement, analysis and improvement – 2.Monitoring and measurement – 3.Monitoring and measurement of processesMonitoring and ongoing improvement
8.Measurement, analysis and improvement – 2.Monitoring and measurement – 4.Monitoring and measurement of product – 1. General requirementsDesign control
8.Measurement, analysis and improvement – 2.Monitoring and measurement – 4.Monitoring and measurement of product – 2.Particular requirement for active implantable medical devices and implantable medical devicesProcedures and records
8.Measurement, analysis and improvement – 3.Control of nonconforming productProcedures and records
8.Measurement, analysis and improvement – 4.Aalysis of dataMonitoring and ongoing improvement
8.Measurement, analysis and improvement – 5.Improvement – 1.GeneralMonitoring and ongoing improvement
8.Measurement, analysis and improvement – 5.Improvement – 2.Corrective actionProcedures and records
8.Measurement, analysis and improvement – 5.Improvement – 3.Preventive actionProcedures and records