ISO 13485 – 2016 Checklist
A checklist on where to start, and what to do first
Whether you are freshly minted into the QMS position or you are a founder of a Startup or a product manager with a new project, you’re reading this because your strategy requires QMS oversight and your first question is likely “where to start” and “what to do”.
If you do QMS right, it’s not a burden, not an added layer of management that gets in the way.
The following checklist will guide you.
ISO 13485-2016 implementation steps
- Classification of the medical device – As a start, review the characteristics of your medical device and determine its classification. Determine if it is a class I, II or III device according to the risk associated with the product. Based on this start point, proceed to overview and familiarize yourself with the relevant statutory and regulatory requirements related to the product as well as to determine the product status: is it a continuation of an existed version of the product or are you starting from scratch. Document the decisions related to devise development.
- Select an appropriate QMS manager – In most of the cases the QMS manager has been selected from the existing team members, and the assigned employee is generally working in another position as well. The point is that they must be properly trained in order to provide QMS oversight in an appropriate manner. The QMS manager can be a self-trained or a certified QMS manager. Companies sometimes involve third-party Consulting organizations. Either way, an assigned internal employee would still be prudent, if not necessary.
- Performing a GAP analysis for QMS – The purpose of the GAP analysis is to show the difference between what you are currently doing and what the Standard is expecting. The GAP will reveal the “holes” that need to be plugged and determine what processes you are using and which you are not using – based on what is appropriate for your product’s characteristics, the structure and size of the company and its main activities. The GAP analysis additionally serves as a template to help implement the QMS system in the company in a logical and structured manner.
- Prepare Quality Policy – The Quality policy is a statement that includes the company’s primary goals and the strategy to achieve them. Quality Policy shall be promoted throughout the company. All the employees shall be aware of the Quality Policy and are required to work according to this policy.
- Determine the Quality objectives – The Quality policy sets the route to Quality objectives that are more concrete goals related to certain processes. The Quality objectives can be presented in the Quality manual or described in a separate document. All employees should be aware of the Company’s Quality Objectives.
- Organizational structure – Establish the draft of the company’s structure, in a so-called Organizational chart, that should look like a diagram including all the positions foreseen for the company or for a certain project inside the company – depending on whether the QMS system is related to a certain product or a product group. The Organizational chart should include the positions (with or without concrete names or avatars) and the relationships (hierarchy) between those positions.
- Establish the Quality plan – The Quality plan is a common table or sheet that should include the following: QMS activities, start dates, due dates, responsible person for certain activities, impact on other processes, means of proofs for effective implementation of certain activities, resources required for that activities, etc. The Quality Plan should be updated regularly as the project proceeds or changes. The following typical activities might be included: internal audits, management reviews, implementing CAPA, selection of a certification body, etc.
- Establish the Quality manual – This document should include the following: Process interaction diagram (Generally consists of 3 levels: 1. The bottom level contains support processes such as Document control and Training; 2. The middle level contains core processes such as Design and development, Purchasing and Manufacturing; 3. Top-level contains the Management processes such as Management review, Internal audit, and CAPA); Statements of the applicable processes and their implementation, list of excluded processes and the reason of exclusion, Organizational chart, Quality objectives, Quality policy, references to relevant documents such as Work instructions, process descriptions, and forms.
- Establish processes for Document and Record Control – these processes should be amongst the first to define and implement, and should be approved before implementation – starting with the document and record control!
- Performing training related to processes of Document and Record control – All employees should have the training to learn how to use properly the QM system. The employees shall be aware of the company’s QMS strategy that may include: document management, issue management, communication etiquette, QMS software used, risk management and other relevant QMS related activities.
- Establishing the remaining QMS processes – All the applicable processes have to be properly documented in the company. These process definitions and rules should be available for relevant employees. The process descriptions or definitions have to contain the specifics and the real how-to facts for each defined process. The employees should perform their work according to the rules laid down in these process definitions.
- Work Instructions for quality management activities – Work Instructions should be prepared where they are necessary for an effective accomplishment of a concrete process or activity. Examples of Work Instructions may include directions for using a certain computer software or performing a task on an assembly line, instructions for issuing a refund to a customer, processing a sale or collecting payment on an account, etc.
- Job Descriptions for each position – The job description concerns only for a position, not for an employee, therefore employees for a certain position can be changed but the description and requirements for that position remain the same. A common job description document should include the following data: Position title, position requirements, necessary experience, education and skills to perform tasks related to the particular position, relationships with other positions, reporting requirements, etc.
- Appoint the Management Representative – The Management Representative is a person who oversees the whole QMS system and serves as an interface for external parties, like certification bodies, external auditors, customers, governmental institutions, etc. Anybody can be assigned for the Management Representative position, but usually, this is the QMS manager’s duty. The Appointment letter has to be approved by the CEO. In case the Management Representative has a deputy, the CEO has to approve the deputy as well.
- Employee list with positions and other details – This list should be available only for senior management, it includes details from employees, like name, position(s), department, projects involved, contact information, etc. If the list is updated regularly, it can simplify manager tasks, like the monitoring of the current state/position of employees; with all the contact information it makes it easier to reach people; group people for a project, etc. This list can be part of a QMS software as a separate function.
- Employee CVs – All the employees’ CVs should be stored in the Company’s system. The CVs of the newly employed person can be used as indicators to show what kind of additional training will be necessary based on the gap determined by the comparison of the CVs and job descriptions/requirements.
- Document training on the procedures comprising the quality system - A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of the effectiveness of training, and you should be able to demonstrate the competency of the people performing those procedures.
- Purchasing – Management has to decide whether there are certain processes that should be outsourced, such as manufacturing, installation, servicing, packaging, etc.
The outsourced processes should be controlled by the Company. The results (products, parts or services) coming from outsourcing should be verified. The requirements shall be established before selecting an outsource company. If there are no such outsourcing activities, you can jump to the next step, and let your company implement all of the core processes that have been determined.
- Implementation of the core processes – When all the managers and employees have been prepared to use the QMS system the implementation can be started. The implementation can be paper-based or using electronic document formats in a QMS software environment. The core processes might include design and development processes, customer-related processes and production-related processes.
- Full quality system internal audit - Timing of the internal audit should be late enough in the quality plan. If the internal auditor(s) has been heavily involved in the implementation of the quality system, the Company may decide to hire an external consultant to perform the first internal audit. All audit findings should be recorded in the Internal audit report. The report should be approved by the Audit Manager or by the Management Representative.
- CAPA – Corrective and Preventive Actions could be induced by different reasons. It might be initiated as a result of an internal audit, risk assessment, management review, and some kind of nonconformance discovered, or by receiving a complaint from customers, etc. Corrective actions should be investigated and the root cause should be determined. All the CAPA findings and proposals for taking certain corrective actions should be reviewed and approved by the Management. The implementation of each corrective action should be verified to prove their effectiveness. Preventive actions can be implemented in almost any case after the Corrective action. In order to determine the possible preventive action, a so-called Root Cause analysis should be performed.
- Performing Management Review – Management review should be performed on a regular basis, but such a meeting has to be organized after each internal audit, design change or when some nonconformance appears, as well as when a product has been returned or complaint has been received. A management review doesn’t have to be a huge meeting, with all the managers, external experts, etc. involved every time. In most of the cases, it is in the director’s office, and it’s including only the relevant persons. The main principle of these meetings is the properly documented results, that are mediated to the appropriate positions by using the appropriate means.
- Management of the suppliers - This may involve identifying the Company’s suppliers, ranking them according to type and risk, qualifying or disqualifying them and executing supplier quality agreements.
- Updating the Quality Plan as the project proceeds – The constant monitoring and update of the Quality Plan will be required throughout the project implementation or product manufacture. For example, rearranging resources, prolong due dates, adding new activities that had been not foreseen previously, etc.
- Involve a Consultant for the next internal audit – It is recommended to involve a consultant company or person for the internal audit, before submitting a request for the external auditors or certification bodies.
- Performing Management review – The Management should review the CAPA findings and make decisions related to appropriate Corrective actions.
- Getting certified – Select an appropriate Certification body and submit your request for ISO 13485:2016 certification.