What complying with ISO 13485 means for medical software development – and for us

As a software development company, we don’t necessarily need to be compliant with external quality standards, but we want to be. And ISO 13485 certification is especially important in the context of medical app development – even more so with the Medical Device Regulation (MDR) becoming fully applicable in May 2021. If what you’re doing is related to healthcare, biotech, pharma, or digital health in general, you should definitely take this topic seriously. Read on to find out why ISO compliance is important in the medtech software development process.

What ISO stands for

Let’s start at the beginning: ISO stands for International Organization for Standardization and no, it’s not a mixed-up acronym, it’s actually the organisation’s name, derived from the Greek word isos meaning “equal”. As in, it sets out standards that are equal for everybody. ISO is an international non-governmental association of 165 standards organisations from various countries. The purpose of ISO is to form a generally acceptable set of guidelines that can assure the high quality of processes in management and manufacturing.

While compliance with the ISO standards is not mandatory, many international and state regulations are largely in line with them. To obtain ISO certification, a company must implement the rules outlined in a given standard and submit to an audit by one of the independent organisations that establish compliance with ISO regulations. It is a lengthy, complex, and expensive process, but the benefits of ISO certification outweigh the costs for many companies.

Probably the best-known ISO standards are those belonging to the ISO 9000 family, which deal with the fundamentals of building a quality management system and the steps companies need to take to achieve compliance with the standard and, ultimately, obtain certification. The aim of the standards is to assure the highest quality of management in a company, leading to greater shareholder and customer satisfaction.

ISO in medical software development

The standard we’re most interested in is ISO 13485, related to quality management system requirements, when an organization needs to demonstrate its ability to provide medical devices, including software and related services.

Since the medical industry is naturally a high-stakes game, where potential failures can literally have deadly consequences, the ISO 13485 standard focuses more than others on risk management. It sets out the rules organizations involved in manufacturing a medical device must follow and enforces management responsibility.

For a software company, this entails a high degree of control, quality assessment, and detailed documentation of every step of the process. Thus, an ISO-compliant software development company assures that all steps can be traced and audited to ensure the highest quality and that no unforeseen problems arise during the implementation and, more importantly, during the maintenance of the software.

This is particularly important, since software, unlike hardware, is never fully finished and will require constant maintenance, which necessitates a high degree of transparency in process and documentation. In simple terms: people responsible for updates and maintenance in the future must be able to understand perfectly how the software was built and how it operates. You definitely don’t want your medical procedure to be interrupted by a software glitch.

Becoming ISO-compliant and certified

Now, how exactly do you obtain ISO certification? Firstly, you have to purchase an ISO publication detailing the regulations involved in a given standard. It is also useful, if not necessary, to obtain the services of an ISO implementation expert.

Then comes the most complex part of the process: actually making the company compliant with the pursued standard. This requires the implementation of a quality management system as well as numerous changes to all parts of the company. For the manufacturing of medical devices, this may also necessitate physical changes to workshops, laboratories, clean rooms, etc. For software development though, it’s mostly a matter of making the process more organised and transparent and creating detailed documentation of its every step.

While a company that’s serious about maintaining safety, responsibility, and efficient management, as well as providing high-quality goods and services, may find that it already follows many of the tenets of an applicable ISO standard, there will always be something to improve. And you won’t know what it is until you start implementing the standard.

Finally, the company needs to apply to a certification body, which will perform a thorough audit of the company and check for compliance with the ISO standard and, hopefully, issues a certificate. That’s not the end though. Once becoming ISO-certified, the company undergoes annual audits, as well as a full recertification process every few years. This ensures ongoing compliance with appropriate standards.

Why bother with ISO?

Why go through all of this? Well, the first reason would be to improve the quality management system of the company. The ISO standards are well thought-through and their development is a long and very deliberate process, which means that whatever rules they set out for your company to follow, it is probably good for safety, performance, and customer satisfaction to follow them. Having sound risk management processes is always a good idea in the medical industry and complying with ISO will ensure that you do.

What’s more, having a certificate of compliance with ISO is a clear signal to your clients that they are dealing with a top-level, serious company, which may open the door to substantial contracts with significant customers. An ISO-compliant medical device manufacturer is also responsible for ensuring that the components sourced from other companies are of sufficient quality and will thus seek out contractors who are ISOcompliant. Software development is a great example here as this sort of work is often outsourced.

Finally, while ISO compliance is by no means mandatory, applicable quality system legislations in various countries are very often in line with the ISO standards. For example, the FDA has been working on making its own regulations match the ISO 13485 standard. And these regulations are actually mandatory for companies selling medical devices in the USA. Similarly, EU regulations for the medical device industry (including MDR) are also very close to those of ISO 13485. Thus, if you want to be licensed to operate in these areas, being ISO-compliant gets you halfway there.

Our take on ISO 13485

The process of adapting to ISO 13485 and IEC 62304 (a standard for medical software development processes) requirements at Revolve Healthcare was rather bumpy and difficult. It’s worth mentioning that, as a company, we always put great emphasis on the transparency of the management process in all projects, as well as its reliable documentation. Despite that, the clash with the requirements set by the standard, from the very beginning, showed how much work was ahead of us.

The complexity of the entire process starts with a thorough understanding of what the legislator actually expects of us. The point isn’t to drown in the sea of additional useless documentation but to realistically improve the quality of the delivered software. The stakes aren’t small, because we’re about to ultimately take responsibility for human health, and – in many cases – even life.

Therefore, when we decided to pursue ISO certification, we had to consider, first of all, how to meet all the described criteria, without having to turn our existing process upside down. We had to think about how not to block the flow of a given project by creating new documentation, as well as how to make the team see added value in meeting additional requirements. We needed every team member to treat those requirements as a logical necessity associated with a high degree of responsibility and, ideally, do this work willingly, understanding that it’s a safeguard against the potential consequences of failure.

Coming up with how to do this right definitely wasn’t easy but, from our point of view, it was the key to achieving full success. We spent a lot of time trying to find a hardly tangible balance between maintaining an efficient pace of implementation and adding necessary elements to it, ensuring the expected quality and failure-free operation of the developed solutions. In practice, it meant analyzing each individual requirement, deciding when during the whole process it should be met and in what way exactly. All that while simultaneously checking – with the help of a detailed analysis and an experienced consultant (Małgorzata, who’s now a part of our team) – if the proposed methods restrain the risk level adequately, reducing the consequences of a possible error. And, finally, confirming whether that error can be detected at the right moment.

Continuous improvement

The whole thing resembled an attempt to arrange a house of cards in a fairly strong wind. Right now, we’re confident that our software development process complies with the requirements of ISO 13485, but we can’t predict with absolute certainty whether our house of cards will withstand all the challenging winds of the projects ahead of us. Every new experience we gain will help us strengthen the process we’ve constructed, but we know that we’ll also need to often modify and adjust it, while constantly monitoring the results. In the world of rigid regulations, we need to remain alert and flexible.

Continuous improvement is the basis on which all the assumptions of ISO 13485 are built. It’s not enough to implement and forget. So, if you’re thinking about pursuing ISO 13485 certification, make sure you and your team are ready to take on that challenge. Otherwise, consider working with a company at which the software development processes already are ISO 13485 and IEC 62304 compliant – like Revolve Healthcare.