Gluu

process documentation

Blog / Case studies | Quality management (QHSE)

Process Documentation in a Medical Device Company

Søren Pommer
By
Last updated on 23/03/2024

How do you work with management systems and process documentation in practical terms, when you have to comply with both ISO 27001 and ISO 13485? Read how Auditdata works with their management system in terms of version control and controlling processes during day-to-day operations while trying to keep it simple.

steen_schledermann

Last week I interviewed Steen Schledermann, QA, Regulatory & IT Director at the Danish Medical Device company, Auditdata A/S. We talked about the way they work with their management system and process documentation in practical terms, being an ISO 27001 and ISO 13485 certified developer of medicinal equipment.

In short, Auditdata is a growing international company with about 60+ employees. Auditdata A/S delivers software and diagnostic equipment to audiology clinics and hospitals in both the public and private sectors. The company has headquarters in Denmark, a development centre in Kiev, sales and support in England, and outsourced production in Sweden.

Working with Version Controlled and Controlling Processes

Steen Schledermann emphasized that Auditdata operates in a much-regulated field:

“We have many processes that need to be version controlled and controlling. They need to be familiar to the people working with them, and they need to be up-to-date. Therefore, we have a great need for keeping track of the associated process documentation, processes, and dissemination.”

Steen Schledermann also states that they use two document management systems in relation to the two revisions – ISMS (Information Security Management System) and Aras PLM (Quality Management System). Both systems are management systems where the QA system is targeted to the product development of medical devices.

“There are some fairly strict requirements for the way it needs to be done, so the processes are described thoroughly”

Management Systems in Practical Terms

The Aras PLM system is a professional quality management system for process document management. The system is used to create relationships between documents in order to electronically define them and delegate them to responsible parties. Documents can also be signed and approved electronically.

Steen Schledermann says that the challenge for QA systems for medical devices is that everything needs to be well defined in a technical file – a specific structure for the kind of documentation required for each release and version of a given system. Furthermore, every release of a version must be traceable for 10 years.

“The database requirements associated with this are fairly significant. This is why we use a relational database management system to manage this part.”

Previously, the company has had documents, process documentation and descriptions available through SharePoint as an intranet solution. Last year, they decided to use the Neupart solution SecureAware – an information security management system. Steen Schledermann says that ISO 27001 is a management standard that very much emphasizes risk assessment of the company’s assets – a relatively complex task. SecureAware facilitates making connections between assets and traceability purely based on risk between the different components in the company. He elaborates:

“This is what is expected in the standard – having a documented overview of the company’s major information assets and being able to explain the company’s risk exposure by making continuous risk assessments. Based on the risk assessment, you develop a Plan of Action for reducing the identified risks. Keeping track of these assessments can be a relatively complex project management task, and they are always changing. This need is particularly supported by the SecureAware system”.

He states that the ISMS system supports standard requirements for risk assessments, where a universal catalogue of security threats makes working with risk assessments easy compared to breaches of confidentiality, integrity, and availability of the company’s information assets.

The ISMS system accounts for all security policies in the company – anything from electronic to physical and personal security. Steen Schledermann states:

“There are more than 110 requirements that must be met in the area of security according to the standard. The standard is fairly comprehensive, and for this reason, it is extensive and complex. There is a lot of information to disseminate.”

The system has a section for policy documents and compliance, as well as a Business Continuity Management Module that makes it relatively simple to describe emergency procedures in case anything goes wrong, which is also a requirement according to the standard.

Ownership

The management system as a whole is owned by the management, and the responsibility for ongoing operation and maintenance is delegated to the QA Director and the Information Security Manager.

Furthermore, Auditdata holds quarterly Management Review meetings, where an agenda is reviewed with management in regards to QA systems and the ISMS system. This way, the management can be kept in the loop about the development of the systems and the company in regards to quality assurance and information security.

Active Participation in the System

I asked Steen Schledermann about the division of roles within their management system. He responded that anyone with a role in the system could contribute where that individual has ownership. He states that participants in the system work actively with the process documents:

“The QA system in particular is one where documents are circulated. There is an author, a reviewer, and someone granting approval. This way, there is active participation, and there is a process flow that the documents follow”.

He further states that their ISMS system allows for assigning responsible parties individual sections of a document. Moreover, the system is traceable according to the version in regards to comments and changes:

“So yes, they are collaborative tools when we’re talking management systems.”

Improvements and Development in Practical Terms

I asked Steen Schledermann, how Auditdata work with improvements and changes in practical terms. His answer to this was that they have a Change Management Process. This is defined as various templates, which they work with in regards to the type of changes that need to be made.

At the moment, they are using Word Templates. These are localized on SharePoint, which is the base for change requests that are not related to product development. Similarly, Auditdata’s QA system has a built-in change request in relation to product development, so players can contribute and approve them.

Steen Schledermann explains that they are also using the collaborative tool Microsoft Team Foundation Server for their entire software development process. Since they develop and manufacture medical devices, it is a requirement that they document the entire development process, verification and traceability reports. He elaborates:

“Therefore, we have a very well established and automated information management system for our software development – we have all the development documentation in this collaborative system. This is where you execute typical changes to the software or the products. They run through specific documentation flows that are a key part of the overall development system.”

The company’s access control policy allows all developers, product managers, players, and others involved in the Project Development Process to access the system. The system also serves as an internal collaborative tool in the company, since it crosses physical locations, Steen Schledermann explains:

“It’s very much a collaborative system, and we really benefit from that, precisely because we are so decentralized.”

The Management system of the Future

I asked Steen Schledermann how he sees the future for management systems. He suggests that one of the key mechanisms of the future is having a Risk Management System available to the company. Especially for companies like Auditdata that are ISO 27001 certified, requiring a lot of process documentation.

He tells how they themselves have worked with the idea of creating a QIMS system – (Quality & Information security Management System). That way they could combine common aspects in their two management systems and optimize the work by handling more certifications.

Steen Schledermann also emphasized that he believes an important factor for management systems is keeping them simple:

“It’s pretty overwhelming, the amount of information and procedures that need to be documented when documenting these management systems. You really have to make an effort to make it as simple and easy as possible. Otherwise, people lose interest”

He believes usability should be a priority in all management systems – both regarding accessibility and reading of documents and processes. Some things he already utilizes himself in order to simplify documents and guide people into the context are visual illustrations and drawings (read more about visual work instructions here):

“Visual illustrations or images are usually much easier to remember than two pages of text. This is something that makes it much easier to digest when sitting there with a lot of documents.”

Another aspect he predicts for the future is making management systems accessible via mobile devices without having to log into a computer and into a heavy system. Steen Schledermann concludes:

“It is important to follow the trend in the way employees prefer to access knowledge, like the way you are used to with your personal use of apps and technology. This is part of what I think is important”

These are the words from Steen Schledermann from Auditdata A/S. Soon we’ll present another case and another perspective.

Frequently Asked Questions

What specific steps are needed to ensure that all process documentation is effectively used for ISO 13485 compliance?

To effectively use all process documentation for ISO 13485 compliance, organizations must follow a few specific steps. First, they must identify all the processes in their operation and understand their interactions. Subsequently, they should document and communicate all procedures related to the quality management system across the organization. After that, the implementation of each respective procedure across the organization ensures uniformity. Ultimately, organizations must continuously monitor and conduct regular audits of these procedures to ensure compliance and identify any deviations.

How often should a company review and update its process documentation to maintain ISO 13485 standards?

ISO 13485 standards advocate for companies to continuously review and update their process documentation. Companies must revise and update their documentation whenever they note a deviation or when the product, process, or system changes. Even in the absence of noticeable changes, it is ideal for companies to review their documentation at least once every year. Such consistent reviewing aids in identifying and resolving potential issues early, mitigating any negative impact on compliance status.

Besides the TraceAnalyzer software, are there other technologies or tools that can be beneficial in maintaining or achieving ISO 13485 compliance?

Besides TraceAnalyzer software, other technologies help achieve ISO 13485 compliance. These include Quality Management System (QMS) software, which streamlines quality processes as per ISO standards, and digital document control systems for maintaining process documentation.

You might also like ...