We’re in the early stages of founding our company and developing our product. We’re wondering what it takes to certify our software as a medical device. We’ve heard about all these standards we’d have to comply with (ISO 13485 etc.) and are wondering whether we have to read those. Can’t we just bring consultants in who make the problem disappear?
No. Read the standards.
You might think that regulatory work is similar to doing your tax return: You bring in a consultant, in this case, your tax accountant. That person requests lots of documents from you - your salary payments, your expenses, etc. - and then magically creates a tax return which you never really have to understand. If the tax authorities have questions, they talk directly to you tax accountant. Genius!
This concept however doesn’t work for regulatory compliance for medical devices. Your auditor from your notified body will want to talk to you, not to your consultant. This is understandable: They want to make sure that you have actually understood what it takes to be a compliant medical device / medical software manufacturer.
That means that you’ve understood which steps and precautions you need to take while developing your product and what sort of reporting obligations you have if things go wrong. There’s no way you could outsource all of this to a consultant. It’s essential knowledge in your company.
That would be like an airplane manufacturer outsourcing all their safety work to some random dudes. No, safety has to be at the core of their product development.
That being said, we’ve had some 737 Max crashes in the past. Maybe they didn’t read this post?
If you consider hiring someone for regulatory work, read my opinion on why hiring senior regulatory affairs people might be a bad idea. And here’s a cool trick how to access standards (they cost money!) for ridiculously low prices.