Product development of medical devices – ISO 13485 is now a requirement
Atostek adopted a more systematic approach to quality in late 2017, when we began documenting and supplementing our quality system with a view to earning the ISO 9001 certificate. However, this was insufficient, so late 2019 we began a new quality-system development project, with the aim of obtaining an ISO 13485 medical devices certificate.
During development of the ISO 9001 quality system in 2017, it was great to see how many issues we were already handling well — but documentation was lacking here and there, and there was a huge need to record various tasks. From the viewpoint of a quality system, if something hasn’t been recorded, it hasn’t been done. We were ready for ISO 9001 certification in July 2018.
After taking a moment to catch our breath, we began adapting our healthcare and medical software development processes to comply with ISO 13485.
Better software
So why did we want more-rigid processes, when we already had 9001? The transition period for tightening medical device regulations in the EU began in spring 2017. The transition period for the Medical Device Regulation (MDR) will end in spring 2021 and that for the In-vitro Diagnostics Regulation (IVDR) in spring 2022. These reforms will make it increasingly difficult for medical software providers to create software that complies with the regulations, unless developers work in accordance with ISO 13485.
In addition, product development and production subcontractors will face less risk if the supply chain is covered by ISO 13485 quality system certificates. During development of quality systems, organizations accumulate a great deal of expertise on regulations, which enables broader-based service packages.
Atostek launched its ISO 13485 project by tendering for a quality consultant, who helped us get off to a fast start in extending our quality system and provided plenty of expertise. Along the way, we had to acquire a large number of quality-standard certifications, as the need for them arose. At the audit stage, we still had to check how a certain issue had unfolded in practice. I was able to refer to the ISO 13485:2016, IEC62304:2015, ISO14971:2019 and IEC62366-1:2015 standards: wonderful bedtime reading!
Patient safety — the top priority
The most labor-intensive part of the project turned out to be the integration of systematic and traceable specification, and risk management, with routine software development. Up to the very last moment, I had to keep telling myself that risk management in line with the ISO 13485 and ISO 14971 standards was necessary for patient safety in particular, and that the financial and scheduling risks were in no way relevant. On the other hand, they are very relevant for the company and fulfilment of the ISO 9001 standard.
At Atostek, an ISO 13485-compliant quality system was created to cover product development projects for medical software, and development and production of our own product, Atostek eRA. Industrial software development and consulting, for which ISO 9001-compliance was sufficient, were excluded.
Raising the quality system’s level will enable us to raise the level of service we provide for our current and new healthcare and medical customers. Now, we can also manufacture medical devices and software.
For example, the hallmark of ‘medical devices’ or ‘medical software’ is that their use for medical purposes is not completely prohibited by the small print. Instead, their marketing material and instructions describe their medical use and benefits in terms of monitoring, diagnosing or preventing an illness. A medical device or software also bears the appropriate CE marking.
Further interesting specifications and requirements can be found in the EU’s MDR/ 2017-745 and IVDR/ 2017/746 regulations.
Juho Leppämäki
Quality Manager