Blog

5 Steps to Obtaining ISO 13485:2016 Certification

February 26, 2024
by SeerPharma

For most medical device manufacturers, the roadmap to market will start with ISO 13485:2016 certification. Obtaining an ISO 13485:2016 certificate is evidence that the Quality Management System in place is compliant with international standards and is a key component of a registration package with the regulators.

But how does a company obtain ISO 13485:2016 certification? Who performs this certification and how long does it take?

ISO 13485-2016 Certification

The process of obtaining certification can be broken down into five steps...

Step 1: Develop and Implement the Quality Management System

Go through each clause of the ISO 13485:2016 standard, and develop written procedures, policies and a way of working that will ensure each of the requirements of the standard are met. An ISO 134825:2016 Implementation Checklist is a great tool to track each requirement and ensure traceability across the QMS.

However, while it is relatively straightforward to write an ISO 13485:2016 compliant QMS, the most important element for certification is that the QMS is effectively implemented within the company and the procedures are being followed.

One of the most common audit non-conformities identified during the certification process is not the compliance of the QMS to the standard, but that the company is not performing the processes that the QMS calls for, or that they are not being performed correctly.

To ensure a QMS is effectively implemented, it must be tailored to the size and complexity of the company. While many online templates are available for ISO 13485:2016 procedures and manuals, it is paramount to ensure it is fit for purpose for each company.

The procedures must be practical and can be performed using the company’s current resources.

For example, a document control procedure with multiple labour-intensive steps for manually managing registers and tracking document numbers is not practical for a small start-up company with three employees, where each person has multiple responsibilities. Streamlining processes and grouping similar functions will ensure that a QMS can be implemented successfully.

Step 2: Select a Certification Body

There are multiple certification bodies and notified bodies that can audit a company’s QMS and provide a certificate. The decision to pursue certification by a notified body, over a certification body will depend on the company and the scope of the certificate they are applying for.

Certification Bodies

Certification bodies will provide an ISO 13485:2016 certificate as a standalone Quality Management System certification and will not audit the technical file against additional medical device regulatory requirements (i.e. certification bodies are not associated with MDR/IVDR or TGA).

JAS-ANZ (Joint Accreditation System of Australia and New Zealand) is an independent, third-party accreditation body. Certification bodies who are accredited by JAS-ANZ have been assessed against internationally recognized standards and are able to provide companies with ISO 13485:2016 certificates.

Certification bodies with headquarters outside of Australia or with global presence may be accredited with the international groups, such as ANSI (US), UKAS (UK) or DAkkS (Germany).

By searching the databases within these accredited certification bodies, it will be possible to find a list of the companies able to provide the ISO 13485:2016 certification.

Certification bodies are most commonly utilized by companies wanting to obtain ISO 13485:2016 certification for their QMS but not pursue regulatory approval for a particular device. For example, material suppliers, third party service providers, and other vendors looking to obtain ISO 13485:2016 as a competitive advantage.

Notified Bodies

A notified body will assess a company’s QMS as well as the technical documentation for their product as part of a conformity assessment (e.g. EU (MDR/IVDR) UK (Med Device Regulation).

Notified Bodies are also accredited and can be found through JAS-ANZ – however instead of being certified as ISO 13485:2016 alone, they are listed by the regulation they assess (MDR/ IVDR).

Assessment by a notified body to ISO 13485:2016 will also include assessment against a specific regulation.

For companies looking to gain market access, ISO 13485:2016 is most commonly assessed by a notified body in conjunction with the regulation of the region(s) they are looking to sell into.

The audit of the QMS is split into Stage 1 and Stage 2 audits. Successful completion of both stages is required to obtain an ISO 13485:2016 certificate.

Step 3: Stage 1 Audit

Stage 1 Audits are typically one day in length, and the objective is to verify that the QMS is compliant with the standard and that the company is ready for the Stage 2 audit.

Because the assessor will be auditing the QMS, it is important that the Stage 1 audit be scheduled at least 3 months after the QMS has been implemented to ensure that there are records to audit (see expectations below), and that the company can provide evidence that the QMS is being effectively implemented.

This audit will verify the procedures within the company against the ISO 13485:2016 clauses. Gaps and non-conformities identified in the Stage 1 Audit will be concerned with how the company has written the Quality Management System.

Expectations at the Stage 1 Audit:

  • Internal Audit
    • It is expected that an internal audit schedule be in place and that it covers all element of the standard.
    • While it may not be practical to perform a complete audit cycle of the QMS prior to stage 1, the expectation is that at least one audit report be completed and remaining audits scheduled to be completed prior to the Stage 2 audit.
  • Control of Outsourced processes
    • It is expected that all outsourced service providers have been identified, listed and a plan is place for the evaluation and approval of each of these suppliers.
  • Management Review
    • The company must have held at least one management review meeting, with meeting minutes, presentation materials and other records to provide as evidence.

After the audit, a Stage 1 Audit Report will be issued that classifies nonconformities into one of two categories:

  • Minor
    • These are gaps that have been identified in the QMS, but they do not indicate a serious compliance issue. Companies will need to ensure a corrective action plan is in place and completed before the Stage 2 audit.
    • These findings will not stop the Stage 2 audit from being scheduled.
  • Major
    • These are findings that indicate gaps that were identified represent a serious or systemic non-compliance.
    • The company will need to provide a corrective action plan and evidence that the corrective actions are completed before a Stage 2 audit can be scheduled.

Step 4: Stage 2 Audit

Once the Stage 1 Audit is successfully completed, a Stage 2 Audit will be scheduled. This will take place typically within 30 days of the Stage 1 audit, and is longer in length, depending on the size of the company being audited, the number of sites and staff.

The objective of a Stage 2 Audit is to verify that the company is effectively implementing the QMS that is in place. This audit will look to determine, ‘does the company do what it says it does’.

In order to successfully pass a Stage 2 audit, records and data will be audited as evidence. At a minimum, the following records will be audited:

  • Internal Audit records
    • The company must have performed an internal audit against each element of the standard, with records available to provide as evidence.
  • Management Review
    • If the Stage 1 audit brought up major nonconformities, or deficiencies in the QMS, it may be necessary that a follow up Management Review is performed prior to the Stage 2 audit.
  • Top Management Commitment
    • The commitment to Quality from senior management, CEO and other top management representatives is the foundation of a successful QMS. To that end, assessors will request documented evidence that this is in place. This may take the form of a clear and direct Quality Policy, signed by Top Management, oversight of quality processes by Senior Management, communication of roles and responsibilities within the company, and their presence at the opening and closing meetings for both Stage 1 and Stage 2 audits.
  • Control of Outsourced Processes
    • It is expected that all critical suppliers for the company have been identified and evaluated in accordance with the procedures for supplier approval.  At a minimum, signed contracts with the vendors need to be in place.

The Stage 2 Audit Report will be issued that classifies nonconformities into one of two categories:

  • Minor
    • As with Stage 1, these are considered non-serious gaps. However, to obtain certification and complete Stage 2, the corrective action plan needs to be provided to the auditor following the audit, in order for the audit to be completed.
  • Major
    • These are findings that represent a serious or systemic non-compliance to the standard.
    • The company will have 30 days to complete the necessary corrective actions, before a repeat Stage 2 audit is performed. A company may extend the repeat audit period if needed however if it is not performed within 6 months of the initial audit, the assessment will lapse and the company will need to start again at Stage 1.

Step 5: Ongoing Certification

Once the certification has been obtained, the company will be audited every year as part of a surveillance audit program. Certificates will be valid for three years, with a recertification audit being performed at the end of the three years. This will mimic the Stage 2 audit and cover all elements of the QMS.

Surveillance audits will occur each year and look at half of the QMS. This ensures that over a two-year period, each element has been assessed.

While at a less detailed level than the initial certification audit, the objective of a surveillance audit is to verify that the company continues to implement the QMS.

While the drive to achieve ISO 13485:2016 certification is crucial, the journey is not over when the certificate is issued. A Quality Management System requires constant maintenance, review and iteration if a company is to keep the certificate. It is a journey that never ends.

SeerPharma is a proven and experienced partner for medical device companies looking to implement ISO 13485:2016 Quality Management Systems and obtain and maintain certification. We have experience in performing gap assessments of Quality Management Systems against ISO 13485:2016, conducting internal audits and providing consulting to medical device companies ensuring that they successfully navigate this important first step on the pathway to market.

Contact us if you would like to explore your interests or needs in the ISO 13485 space.

Filed Under: Quality Management Systems, QMS, ISO 13485, Medical Device, Medical Device Regulation