ISO 13485 Basic Documentation

The standard is clear that you need a quality manual and 26 documented procedures (27 if you have corrective and preventive action as separate; almost no one ever does):
Quality manual

*4.2.3 Document Control
*4.2.4 Records
5.5.1 Responsibilities and authority
6.2 Training (from CFR 21 820)
6.3 Maintenance
6.4 Cleanliness of personnel, work environment, and contaminated material
7.1 Risk management
7.3 Design
7.4.1 Purchasing
7.5.1.1 Documented work instructions (and setup/rework) usually many documents
7.5 Change control (CFR 21 820)
7.5 Criteria for workmanship (CFR 21 820)
7.5.1.2.2 Installation
7.5.1.2.3 Servicing
7.5.2.1 Validation of software
7.5.3.1 Product identification
7.5.3.2.1 Product traceability
7.5.5 Storage and shelf life
7.6 Calibration
8.2.1 Customer feedback
*8.2.2 Audit
8.2.4 Inspection
*8.2.3 Nonconforming, including rework
8.4 Analysis of data
8.5.1 Advisory notices and agency notification
*8.5.2 Corrective and preventive action

These documents are much the same in most smaller organizations. Big companies have more complex issues to handle, and much more variety in their procedures.

Procedures say what you do to meet the requirement: who, what, when, and how if it is confusing (sometimes where; why is because the standard says so). A good procedure is 1-2 pages long, and reads like clear spoken English. See Procedure Writing for help in this important area. Hint, 90% of the procedures I see are very wasteful.

The Quality Manual is your top management's commitment (promise, contract) that your organization will adopt all the requirements of the standard. So where the standard says "the supplier shall..." your Quality Manual says "My Company does..."

There are more than 100 "shall" statements in ISO 13485, and only 26 procedures. The Manual picks up the slack, detailing the "who, what, when, and sometimes how" of the "we do."

For example, "John does this as soon as he can as he chooses, based on his experience." Note a couple of things. I used a first name. In many small organizations everyone immediately knows "John" but would have to think a bit about who is the VP of marketing. We also rely on John's experience to decide how to do it, and if the top manager has confidence in John, the auditor will too. By the way, if John leaves or changes jobs, and Jane takes over, use the Word function "replace" to switch the names, takes less than a second.

With this in mind, while the Midwest professional is discussing an issue, they will open the document and make modifications to start the customization process. They will not finish! This is your procedure, and your employee who will have to defend the procedure to an auditor had better work over the words to make them sound like their own. Same for the manual. It will take a day for the management representative (ISO team leader) to work through that and make it read smoothly.

There are 4 reasons for having documented procedures:
1. Because the standard requires it (5 basics).
2. What you are doing is so complex you need to write it down to keep people from forgetting (better to simplify it if you can).
3. There are several ways to do something, and you put your agreement to do it one way in a procedure, a contract, which everyonefollows until it is changed in writing.
4.What you are doing is marginally meeting the requirements of the standard. If there is a boundary line, you know you are really close. So put it in a "defensive" procedure to make it clear to the auditor that you thought it out, and that is the way you are going to do it. May not always work, but usually better than a verbal argument.

During the training your Midwest professional will discuss the need for procedures, what will have to go into them, and who is going to do it. We welcome getting copies to mark-up. At the end of the session you have a good start, with mostly customized word files for the basics, and a good start on anything else.

Midwest offers additional procedures and forms during the training where they have been found the easiest way to handle a situation:

Document Reason
5.5.1 Responsibility and authority This is the easiest way to communicate who is responsible for each process (element)
7.3 Design We use a matrix to communicate how you approach design and meet all the requirements
8.2.3 Monitoring and measuring processes This matrix is the easiest way to communicate how you keep track of your processes
8.4 Analysis of data Another matrix to communicate what you do, and who does it
Form 5.6 Management review Walks management through the process
Form 5.3 Preventive maintenance An EZ way to document maintenance
Form 7.6 Calibration An EZ paper form to record calibrations
Form 8.3 Nonconformance A typical "red tag"
Form 8.5.2 Corrective action A typical C/A form
Form 8.5.3 Preventive action A simple project management form