It is all too easy to dive into the list of requirements contained within the ISO 13485 and achieve compliance by just ticking the boxes: looking at one requirement or one area at a time and making sure you have put in place something to address that requirement. This may easily result in a quality system that feels like a patchwork. Compliant, perhaps, but most certainly awkward and difficult to sustain.
The second most common mistake is to not ask yourself how software tools can help in setting up the quality system. “We already have MS Word, MS Excel, email, and we can always print a document and have it signed.” This is only a solution if you think that the quality system is a one-off activity. In the longer run, the system turns out to be a constant struggle with non-integrated elements that have no cohesion.
A better way to address compliance is to:
- Accept the fact that the quality system is a long term commitment and that it is very demanding.
- Assume that the right software tools do help.
- Think strategically, reviewing the whole standard, and try to identify the different areas, in respect to what type of software would help address those.
Real life example: A company maintains an Excel list of all corrective actions. The date of effectiveness check is filled in manually. A QA engineer needs to review the Excel spreadsheet once a week to identify which effectiveness checks are due. Last audit revealed that in most cases, effectiveness checks were not followed up.
Real life question: Meetings and other events are registered in a calendar and you are reminded when they are due. Wouldn’t it be easier if effectiveness checks due dates were also linked to a calendar? Putting those dates in Excel does not make more sense than putting your meetings in Excel…..
What follows is how we can divide the ISO-13485(2003 and 2012) in regard to the type of software features which can help us. You do not need to be an IT expert to follow the logic or the explanation – if you know the standard and see my examples hopefully you will get the idea.
In any case, I put here the complete mapping of the ISO into the different categories I describe. I also mention the main Atlassian tools we use to address each area. In future posts we will dive deeper into each of those categories and provide more details on exactly how we achieve easy and sustainable, compliance.
So, as promised, these are the various categories that appear in the ISO 13485:
- Document management: These are the various requirements relating to the procedures, manuals, and device related documents you need to have, and how they should be handled within the organization. The ISO elaborates in quite a detailed manner about how the controlled documents needs to be approved, who should access them, etc. Confluence is the key tool we use to handle all these requirements.
- Procedures and records are the evidence that the organization lives up to its quality system: The various procedures and work instructions should be followed consistently on a daily basis, forms or other records should be collected as evidence. Some examples (with reference to the standard section):
- Training( 6.2.2).
- Customer complaints: (8.5.1).
- Corrective and preventive actions: (8.5.2, 8.5.3)
- Subcontractor approvals( 7.4.1)
- Purchasing forms( 7.4.1).
Those records may be created as electronic or physical paper forms which need to be completed by the authorized person. However, a much better way is to implement an automatic workflow that makes it easier for the team to create, follow, and document all the various tasks they need to do. Such a workflow can automatically schedule tasks, remind and alert, thus triggering better compliance to the quality system and at the same time automatically creating the required records. This is a double win. JIRA® is our tool of choice and it provides a state-of-the-art solution to everything related to forms and workflows.
- Design control: Some of the issues covered by section 7 of the ISO 13485 require quite advanced control along several phases of design and development. The risk mitigation measures and the product requirements should be, for example, verified in the product verification stage. This verification, or the test file, could be written as a simple Word or Excel document, but a far better implementation is to create it within JIRA. The advantage of JIRA here is the various reporting that it allows once the data is in and the fact that it can connect directly into the work scheduling of the various team members. JIRA is the principal tool we use for design control. Confluence can be used in some advanced implementations. If the medical device involves software, then the development suite from Atlassian can be implemented to provide a complete software life cycle management suite.
- Manufacturing and product traceability: Some requirements relate to your manufacturing setup. Depending on the scale and type of manufacturing, specialized ERP may be the best option. When manufacturing is more basic and does not call for a full blown manufacturing facility, JIRA can handle the requirements of the standard.
- Monitoring and improving: A key theme of the standard is the need of the organization to measure and improve (for example, section 8.2.3). The nice thing is that the framework we have put in place to support the other categories, if done correctly, should provide us with the reports, alerts, and statistics we need. Indeed, all the processes we have implemented in JIRA, as well as the various elements we have implemented in Confluence, may easily be collected and displayed in practically endless variations of reports and dashboards.
| Requirement (Article) | Requirement type |
| 4.Quality management system – 1.General requirements | Non specific |
| 4.Quality management system – 2.Documentation requirements – 1.General | Document management |
| 4.Quality management system – 2.Documentation requirements – 2.Quality manual | Document management |
| 4.Quality management system – 2.Documentation requirements – 3.Control of documents | Document management |
| 4.Quality management system – 2.Documentation requirements – 4.Control of records | Procedures and records |
| 5.Management responsibility – 1.Management commitment | Document management |
| 5.Management responsibility – 2.Customer focus | Non specific |
| 5.Management responsibility – 3.Quality policy | Monitoring and ongoing improvement |
| 5.Management responsibility – 4.Planning – 1.Quality objectives | Monitoring and ongoing improvement |
| 5.Management responsibility – 4.Planning – 2.Quality management system planning | Monitoring and ongoing improvement |
| 5.Management responsibility – 5.Responsibility, authority and communication – 1.Responsibility and authority | Document management |
| 5.Management responsibility – 5.Responsibility, authority and communication – 2.Management representative | Monitoring and ongoing improvement |
| 5.Management responsibility – 5.Responsibility, authority and communication – 3.Internal communication | Monitoring and ongoing improvement |
| 5.Management responsibility – 6.Management review – 1.General | Monitoring and ongoing improvement |
| 5.Management responsibility – 6.Management review – 2.Review input | Monitoring and ongoing improvement |
| 5.Management responsibility – 6.Management review – 3.Review output | Monitoring and ongoing improvement |
| 6.Resource management – 1.Provision of resources | Non specific |
| 6.Resource management – 2.Human resources – 1.General | Procedures and records |
| 6.Resource management – 2.Human resources – 2.Competence, awareness and training | Procedures and records |
| 6.Resource management – 3.Infrastructure | Manufacturing and product traceability |
| 6.Resource management – 4.Work environment | Non specific |
| 7.Product realization – 1.Planning of product realization | Design control |
| 7.Product realization – 2.Customer-related processes – 1.Determination of requirements related to the product | Design control |
| 7.Product realization – 2.Customer-related processes – 2.Review of requirements related to the product | Design control |
| 7.Product realization – 2.Customer-related processes – 3.Customer communication | Design control |
| 7.Product realization – 3.Design and development – 1.Design and development planning | Design control |
| 7.Product realization – 3.Design and development – 1.Design and development input | Design control |
| 7.Product realization – 3.Design and development – 3.Design and development outputs | Design control |
| 7.Product realization – 3.Design and development – 4.Design and development review | Design control |
| 7.Product realization – 3.Design and development – 5.Design and development verification | Design control |
| 7.Product realization – 3.Design and development – 6.Design and development validation | Design control |
| 7.Product realization – 3.Design and development – 7.Control of design and development changes | Design control |
| 7.Product realization – 4.Purchasing – 1.Purchasing process | Procedures and records |
| 7.Product realization – 4.Purchasing – 2.Purchasing information | Procedures and records |
| 7.Product realization – 4.Purchasing – 3.Verification of purchased product | Procedures and records |
| 7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 1.General requirements | Procedures and records |
| 7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2.Control of production and service provision: Specific requirements – 1.Cleanliness of product and contamination control | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2.Control of production and service provision: Specific requirements – 2.Installation ativities | Procedures and records |
| 7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 2. – 3.Servicing activities | Procedures and records |
| 7.Product realization – 5.Production and service provision – 1.Control of production and service provision – 3.Particular requirements for sterile medical devices | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 2.Validation of processes for production and service provision – 1.General requirements | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 2.Validation of processes for production and service provision – 2.Particular requirements for sterile medical devices | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 3. Identification and traceability – 1.Identification | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 3. Identification and traceability – 2.Traceability – 1.General | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 3. Identification and traceability – 2.Particular requirements for active implantable medical devices and implantable medical devices | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 3. Identification and traceability – 3.Status identification | Manufacturing and product traceability |
| 7.Product realization – 5.Production and service provision – 4.Customer property | Non specific |
| 7.Product realization – 5.Production and service provision – 5.Preservation of product | Procedures and records |
| 7.Product realization – 6.Control of monitoring and measuring devices | Manufacturing and product traceability |
| 8.Measurement, analysis and improvement – 1.General | Monitoring and ongoing improvement |
| 8.Measurement, analysis and improvement – 2.Monitoring and measurement – 1.Feedback | Monitoring and ongoing improvement |
| 8.Measurement, analysis and improvement – 2.Monitoring and measurement – 2.Internal audit | Procedures and records |
| 8.Measurement, analysis and improvement – 2.Monitoring and measurement – 3.Monitoring and measurement of processes | Monitoring and ongoing improvement |
| 8.Measurement, analysis and improvement – 2.Monitoring and measurement – 4.Monitoring and measurement of product – 1. General requirements | Design control |
| 8.Measurement, analysis and improvement – 2.Monitoring and measurement – 4.Monitoring and measurement of product – 2.Particular requirement for active implantable medical devices and implantable medical devices | Procedures and records |
| 8.Measurement, analysis and improvement – 3.Control of nonconforming product | Procedures and records |
| 8.Measurement, analysis and improvement – 4.Aalysis of data | Monitoring and ongoing improvement |
| 8.Measurement, analysis and improvement – 5.Improvement – 1.General | Monitoring and ongoing improvement |
| 8.Measurement, analysis and improvement – 5.Improvement – 2.Corrective action | Procedures and records |
| 8.Measurement, analysis and improvement – 5.Improvement – 3.Preventive action | Procedures and records |
