On this day, I was seated at the table with three quality consultants, who had traveled in that morning, and our whole team from the company. We had just, a month or two earlier, announced that our startup had secured a 500,000-euro seed investment from two venture capital firms, so we now had the funds to really roll up our sleeves and get to work doing the things we had spent the previous year pitching to investors. Job number one, although it at times seemed there were more than one of those, was the development of a quality management system, or QMS, for short, so that we could then build a medical device product under that QMS and ship it to healthcare customers worldwide.

At the meeting, I was looking forward to a relaxed discussion on how the quality consultants saw the process going forward and figuring out for myself what supporting role I could play in the process. But things were to unfold differently. No sooner had we sat down at the table than I heard our CEO say to me, “I guess you will handle the development of the QMS from here on out, right?” I had not expected this at all, I definitely had not planned for it, but since all voiced opinions seemed to confer, I felt myself nod, and that was it. All of a sudden, I was to become our quality manager, and the meeting took on a new meaning for me.

This book tells the story of the following months that led to the launch of our QMS some seven months later and its audit and certification by a big notified body long thereafter. More on that “long thereafter” a little bit later.

The idea for this book came out of countless encounters with other startups, industry giants, quality consultants, standardization experts, notified bodies, and even representatives of the European Commission and their HAS harmonization consultants, who I thought for sure were unicorns. Since the very beginning of the process, I had wanted to get as many points of view from all the connected parties as possible in order to best shape our QMS. The words of the old Tom Brokaw ad echoed in the back of my mind as I was doing this: “In order to form an opinion you need information. To form a balanced opinion, you need all the information”. The trick, I thought, would be to meet all the requirements for a QMS but do so as leanly as possible. Otherwise, the weight of the system would pull us down and keep us from achieving what we wanted—to push the science and improve patient outcomes. All during the process, I had been testing out my ideas on others and sharing my ideas on best practice when I could. Since finishing work on writing up my doctoral thesis, toward the end of the first two years of the same four-year period, I had also been itching for a new book project. The dots of a QMS and a book project connected for me when I was recently asked to prepare a presentation on my experiences for a Danish medtech incubator. In going through my notes and preparing that short intro, I started to think that there might be wider interest for this in book form, especially for something based on current information and real-world experiences, both of which I have attempted to fuse into the discussion here.

This book is not intended as a substitute for reading the ISO 13485 standard, but it will make the process of acquainting yourself with the standard easier and, hopefully, also save you from a number of misunderstandings and extra hurdles in implementing the standard. I have included checklists and tips where I thought they would be helpful and infused real experiences from both my own QMS development process and those relayed to me by my peers throughout the book. I hope all this will be useful to you as you develop your QMS, either from scratch or through an iterative process of improvement from where you are now.

It took us a little over seven months to build our QMS from scratch while also developing our startup company, our R&D pipeline, and our first medical device product at the same time. It then took us 14 months to pass our multisite audits and a further 7 months to finish product documentation and get the certificate in the middle of the COVID-19 pandemic and the uncertainty surrounding the MDR transition in Europe. It was an extraordinary experience from start to finish, and yet this, too, is just the start of the next phase for us. In this process, we got to learn a lot, innovate, and experiment with a great number of new ideas. The lessons we learned were all positive, but some more so than others. This book is written to relay some of those lessons, concentrating on the ones I feel might help you the most on your path to developing, improving, and working with your QMS.

The international ISO 13485 standard this book addresses has become a cornerstone of medical device business the world over. In Europe, the standard will now, in effect, be required of all classes of medical devices; and except for Class I devices, the quality management systems are also required to be certified according to the standard. In the US, the FDA is working on aligning its Quality System Regulation (QSR) with the standard; and the international Medical Device Single Audit Program (MDSAP), in which the FDA is also very active, already makes it possible to use the standard in auditing quality management systems for the US market. The standard already has an integral role in quality management for medical device manufacturers, but recent steps, including the transition to the MDR regulation in Europe, mean that the standard is still new to many actors, many of whom haven’t yet had to work with the standard. Also, the recent incremental steps taken toward enabling artificial intelligence in medical devices, and other emerging technologies, look set to heighten the role of the standard as a gatekeeper solution. The rest of the world, too, appears to have a keen eye on the standard.

In other words, the ISO 13485 standard has no competition in medical devices, it is stable itself, there is great interest in it worldwide, and the audience for the standard is rapidly expanding. This book is written to serve all these audiences, in making sense and making the most out of the standard.

This book is intended to do the following:

If you are not the one tasked with the hands-on development of your organization’s QMS but are looking to understand it, perhaps as your organization’s management representative or an employee expected to work with it at some point, this book will provide you with practical insights into developing, running, and working with a QMS. For the management, this book will act as the API for QMS that provides a practical handle on the work and allows you to understand why something is done or should be done in a certain way. For the employee expected to work with QMS, this book will place your work within the larger quality framework and give you perspective on why the thing you are asked to do actually matters a great deal.

This book is based on my personal experience from developing, running, and certifying an ISO 13485:2016 Quality Management System for my young medical device startup. I am one of the founders of the company and the one tasked with figuring out our QMS as our quality manager. I am also the chief operations officer and a longtime board member of our company, so I have had the privilege of seeing all our operations mature and finding out how quality management can fit in on several levels of the organization. I have not done this alone. In addition to a great Quality Management Team and our generally stellar staff at the startup, I have also had quality consultants available for consultation on those occasions I have wanted some expert feedback. On top of this, I have had the fantastic network of peers I have been lucky enough to build over the years.

One more thing I should mention before I get into timelines is that our startup life began as a commercialization project at the University of Oulu, Finland. We had a certain innovation coming out of our research at the university, and with the aid of a two-year grant from Business Finland, we started to test the waters for building a business around it. Over the two years, we went about formulating our concept and business model, oftentimes by talking with potential users, customers, distributors, and funders. Our aim was to secure funding for our company once we spun off from under the university and to have the best possible plan to execute when we did get funding. Toward the end of the two-year grant, we had a clear idea of what our product should be and we even had a working demonstration of the product. Once we had secured our seed investment round, it was time to run with our plan. The plan called for us to build an ISO 13485–certified QMS with a standards-based R&D process, develop our first medical device according to the QMS, and launch a CE-marked medical device in Europe. It was clear that we needed the QMS in place before we could use it to develop our product, but due to real-world constraints, we needed to work on both at the same. Thus, our QMS development was tied to developing our standards-based R&D process, and our QMS certification to the certification of our product. This was not quite a chicken-and-egg problem, but we were definitely trying to forge the frying pan at the same time as cooking an omelet. If we were successful, we would have a process that perfectly matched our needs and was tuned to our way of doing R&D. But if we were unsuccessful, we could have a royal mess on our hands with so many variables to fix in an already partially operational process that it might be easier to just start over. As it turned out, we were successful. The joint development of the QMS and product did have an effect on the overall QMS certification schedule, and it did cause a delay with the QMS certification compared to what it could have been when it was the only goal, but since the end goal was to develop and release a CE-marked product through a certified process, the delay was immaterial.

The work on building our QMS began in late February of 2018, with a first meeting with the quality consultants we hired to help us in building our QMS. The spring of 2018 was an intensive period of going through one aspect of QMS after the other, usually in two-week sprints more or less according to the schedule suggested by the consultants. Seven months after starting work, we were ready to launch our QMS in October of 2018, and our first-ever internal audit was arranged a month later. The following spring, we had secured quotes from a number of notified bodies and certification bodies, and after having selected our notified body, we had our first site inspection in the late spring of 2019. After this, it took us a further eight months to achieve a status where we were ready for the second and final certification audit at our second site in December 2019. At the beginning of 2020, the worldwide COVID-19 pandemic hit and we still had some product documents in progress which we needed to finish to obtain the certificate. We received the official ISO 13485 certificate after months of delays caused by the pandemic at the end of June 2020 and the EC conformity assessment needed for the CE mark at the beginning of November 2020. It thus took us 7 months to have a launch-ready QMS, 22 months to have our multisite audits done, and approximately 28 months to get the QMS certified. This was slow but fast enough considering we also had a company to build and a product to develop at the same time—and a global pandemic to contend with too.

If you are looking to get your certified QMS faster, that, too, is doable. The fact that we had two sites and simultaneous product development in Class IIb were major factors in slowing our progress with just the QMS. Using a certification provider other than a notified body would have also greatly sped things up, as the notified bodies in Europe were involved in the massive shift from the EU’s Medical Device Directives to the Medical Device Regulation and a barrage of urgent issues surrounding the COVID-19 pandemic. The choice to go with a notified body was a conscious decision, one made primarily in the interest of removing differences of opinion between the operators we would be relying on, and it remains a decision with which we are very happy today.

The remainder of this book is set up so that one section leads to the next in a logical progression; after which, you will have a complete QMS up and running or, if you are not going to be developing a QMS yourself, a comprehensive view of what a QMS is and what it does. The next section, Section 3, introduces you to the top 25 lessons I have learned from our development project. This section is, to me, the heart of the book; reading it will hopefully give you both insight and new ideas. Section 4 then sets yo...