By Guest Blogger, Brigid Glass
The author describes 12 important tasks (training, auditing, etc.) which should be included in your plan for successfully implementing ISO 13485.
For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:
- Identification of each task
- Target dates for completion of each task
- Primary person responsible for each task
- Major milestones throughout the project
Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended, so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.
12 Tasks to Consider for Implementing ISO 13485
- 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan or Canada, make sure your certification body meets the specific regulatory requirements for that market (http://bit.ly/Sept24FX).
- 2. Establish a Quality Manual and at least 19 required procedures. If you have purchased a copy of the excellent Canadian CSA publication “Plus 13485” (http://bit.ly/13485Plus), this lists required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
- 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of effectiveness of training, and you should be able to demonstrate competency of the people performing those procedures.
- 4. You must complete at least one full quality system internal audit. Timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
- 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.
The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.
- 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).
If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.
- 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
- 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them and executing supplier quality agreements.
Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s October 4th training workshop (http://bit.ly/MDAWorkshops).
- 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.
Therefore, the minimum expectation is to initiate at least one development project prior to the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product and conduct at least one design review.
- 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
- 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organization chart.
- 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA (http://bit.ly/PDCAcycle) loop through the system. The reason for a new quality plan is to implement improvements based upon what you learned while you were building the quality system for the initial certification audit.
If your company wants to achieve ISO 13485 certification, you may be interested in our 6-part, “Road to Certification – The Series” (http://bit.ly/roadmapiso) audiocasts beginning on August 28, 2013 (also available as a recording).