How do you work with management systems and process documentation in practical terms, when you have to comply with both ISO 27001 and ISO 13485? Read how Auditdata works with their management system in terms of version control and controlling processes during day-to-day operations while trying to keep it simple.
Last week I interviewed Steen Schledermann, QA, Regulatory & IT Director at the Danish Medical Device company, Auditdata A/S. We talked about the way they work with their management system and process documentation in practical terms, being an ISO 27001 and ISO 13485 certified developer of medicinal equipment.
In short, Auditdata is a growing international company with about 60+ employees. Auditdata A/S delivers software and diagnostic equipment to audiology clinics and hospitals in both the public and private sectors. The company has headquarters in Denmark, a development centre in Kiev, sales and support in England, and outsourced production in Sweden.
Working with Version Controlled and Controlling Processes
Steen Schledermann emphasized that Auditdata operates in a much-regulated field:
“We have many processes that need to be version controlled and controlling. They need to be familiar to the people working with them, and they need to be up-to-date. Therefore, we have a great need for keeping track of the associated process documentation, processes, and dissemination.”
Steen Schledermann also states that they use two document management systems in relation to the two revisions – ISMS (Information Security Management System) and Aras PLM (Quality Management System). Both systems are management systems where the QA system is targeted to the product development of medical devices.
Management Systems in Practical Terms
The Aras PLM system is a professional quality management system for process document management. The system is used to create relationships between documents in order to electronically define them and delegate them to responsible parties. Documents can also be signed and approved electronically.
Steen Schledermann says that the challenge for QA systems for medical devices is that everything needs to be well defined in a technical file – a specific structure for the kind of documentation required for each release and version of a given system. Furthermore, every release of a version must be traceable for 10 years.
“The database requirements associated with this are fairly significant. This is why we use a relational database management system to manage this part.”
Previously, the company has had documents, process documentation and descriptions available through SharePoint as an intranet solution. Last year, they decided to use the Neupart solution SecureAware – an information security management system. Steen Schledermann says that ISO 27001 is a management standard that very much emphasizes risk assessment of the company’s assets – a relatively complex task. SecureAware facilitates making connections between assets and traceability purely based on risk between the different components in the company. He elaborates:
“This is what is expected in the standard – having a documented overview of the company’s major information assets and being able to explain the company’s risk exposure by making continuous risk assessments. Based on the risk assessment, you develop a Plan of Action for reducing the identified risks. Keeping track of these assessments can be a relatively complex project management task, and they are always changing. This need is particularly supported by the SecureAware system”.
He states that the ISMS system supports standard requirements for risk assessments, where a universal catalogue of security threats makes working with risk assessments easy compared to breaches of confidentiality, integrity, and availability of the company’s information assets.
The ISMS system accounts for all security policies in the company – anything from electronic to physical and personal security. Steen Schledermann states:
The system has a section for policy documents and compliance, as well as a Business Continuity Management Module that makes it relatively simple to describe emergency procedures in case anything goes wrong, which is also a requirement according to the standard.
The management system as a whole is owned by the management, and the responsibility for ongoing operation and maintenance is delegated to the QA Director and the Information Security Manager.
Furthermore, Auditdata holds quarterly Management Review meetings, where an agenda is reviewed with management in regards to QA systems and the ISMS system. This way, the management can be kept in the loop about the development of the systems and the company in regards to quality assurance and information security.
Active Participation in the System
I asked Steen Schledermann about the division of roles within their management system. He responded that anyone with a role in the system could contribute where that individual has ownership. He states that participants in the system work actively with the process documents:
“The QA system in particular is one where documents are circulated. There is an author, a reviewer, and someone granting approval. This way, there is active participation, and there is a process flow that the documents follow”.
He further states that their ISMS system allows for assigning responsible parties individual sections of a document. Moreover, the system is traceable according to the version in regards to comments and changes:
Improvements and Development in Practical Terms
I asked Steen Schledermann, how Auditdata work with improvements and changes in practical terms. His answer to this was that they have a Change Management Process. This is defined as various templates, which they work with in regards to the type of changes that need to be made.
At the moment, they are using Word Templates. These are localized on SharePoint, which is the base for change requests that are not related to product development. Similarly, Auditdata’s QA system has a built-in change request in relation to product development, so players can contribute and approve them.
Steen Schledermann explains that they are also using the collaborative tool Microsoft Team Foundation Server for their entire software development process. Since they develop and manufacture medical devices, it is a requirement that they document the entire development process, verification and traceability reports. He elaborates:
“Therefore, we have a very well established and automated information management system for our software development – we have all the development documentation in this collaborative system. This is where you execute typical changes to the software or the products. They run through specific documentation flows that are a key part of the overall development system.”
All developers, product managers, players, and others who are involved in the Project Development Process can access the system according to the company’s access control policy. The system also serves as an internal collaborative tool in the company, since it crosses physical locations, Steen Schledermann explains:
“It’s very much a collaborative system, and we really benefit from that, precisely because we are so decentralized.”
The Management system of the Future
I asked Steen Schledermann how he sees the future for management systems. He suggests that one of the key mechanisms of the future is having a Risk Management System available to the company. Especially for companies like Auditdata that are ISO 27001 certified, requiring a lot of process documentation.
He tells how they themselves have worked with the idea of creating a QIMS system – (Quality & Information security Management System). That way they could combine common aspects in their two management systems and optimize the work by handling more certifications.
Steen Schledermann also emphasized that he believes an important factor for management systems is keeping them simple:
He believes usability should be a priority in all management systems – both regarding accessibility and reading of documents and processes. Some things he already utilizes himself in order to simplify documents and guide people into the context are visual illustrations and drawings (read more about visual work instructions here):
“Visual illustrations or images are usually much easier to remember than two pages of text. This is something that makes it much easier to digest when sitting there with a lot of documents.”
Another aspect he predicts for the future is making management systems accessible via mobile devices without having to log into a computer and into a heavy system. Steen Schledermann concludes:
These are the words from Steen Schledermann from Auditdata A/S. Soon we’ll present another case and another perspective.