ISO 13485 Certification Process for Medical Devices SA

Achieving ISO 13485 certification is a significant milestone for any organisation involved in the medical device industry. This international standard ensures that your Quality Management System (QMS) meets the stringent requirements necessary for regulatory compliance and product safety. Although the requirements in the standard are straightforward, planning is critical to ensure that the QMS is developed to meet the individual organisation’s business plans and costly errors can be avoided with careful planning.

This guide is designed to walk through the essential steps to establish and maintain a ISO 13485 compliant QMS and obtain certification. From understanding regulatory requirements and developing a robust QMS to encompass these requirements through to conducting internal audits and selecting the right certification body, each step is outlined to help you navigate the certification process with confidence. Whether you are new to ISO 13485 or looking to upgrade your processes, this guide provides insights and practical advice to help you on your way.

CONTENTS

Step 1: Understand ISO 13485 Requirements
Step 2: Developing a Quality Management System (QMS)
Step 3: Conducting a Gap Analysis for ISO 13485 Certification
Step 4: Implementing Necessary Changes
Step 5: Conduct an Internal Audit
Step 6: Select a Certification Body
Step 7: Project Planning
Step 8: The Certification Audit
Conclusion

Step 1: Understand ISO 13485 Requirements

Regulatory Requirements by Region

ISO 13485 states that the certified organization needs to understand the regulatory requirements where they place product on the market. This includes national requirements, such as notifications and device classifications, as well as interpretations of international standards, including definitions.

Begin by familiarising yourself with regulatory requirements specific the regions where you intend to place your medical devices on the market. International organisations will need to navigate a variety of regulatory landscapes. In the US this involves understanding the US FDA publication 21 CFR Part 820, including the changes in progress that incorporate the quality management system requirements of the international standard specific for medical device quality management systems set by ISO 13485:2016. In the European Union (EU), the requirements are laid down in the Regulation 2017/745 (MDR) and Regulation 2017/746 (IVDR) and focus on the safety and performance of medical devices. The US and EU are the largest markets and many other jurisdictions align to these requirements, but have their own nuances, such as Japan’s Pharmaceutical Affairs Law (PAL), Australia’s Therapeutic Goods Administration (TGA) requirements, the UK’s Medical Device Regulation, Switzerland’s Medical Device Ordinance, and South Africa’s Health Products Regulatory Authority (SAHPRA) guidelines. Understanding the similarities (common specifications) and national differences helps design a system that streamlines placing and maintaining devices on multiple markets, supporting compliance and facilitating smoother market entry across different regions.

Product Lifecycle Management

Effective management of the product lifecycle is essential for ISO 13485 certification. During the design and development phase, implement rigorous controls such as design reviews and verification activities to ensure the safety and performance of your products. Integrate risk management practices throughout the design process, identifying potential risks and implementing mitigation strategies.

In the production phase, establish well-defined and controlled manufacturing processes. For instance, ensure validated procedures for sterilising sterilization are in place. Robust quality control measures are also essential; conduct thorough testing and inspections at various production stages to verify criteria are met. This is particularly important for accuracy of diagnostic test kits.

When it comes to installation and servicing, develop clear procedures for setting up medical devices such as MRI machines, and establish maintenance programs to keep devices such as infusion pumps in optimal condition. Post-market surveillance is an essential requirement in many jurisdictions: set up systems to collect and analyse user feedback and performance data, as well as ensuring compliance with regulatory reporting requirements for any safety issues or adverse events.

Lastly, develop procedures for the proper disposal of medical devices, including single-use surgical instruments, in compliance with environmental regulations. By addressing these aspects comprehensively, your QMS will not only meet ISO 13485 requirement but also be well-prepared to comply with local and international regulatory requirements throughout the entire product lifecycle.

Use your knowledge to establish a framework on which to build your QMS, ensuring that all regulatory and product-specific aspects are met.

Step 2: Developing a Quality Management System (QMS)

Creating a Quality Manual

Use the framework you have built to create a quality manual. Outline the scope and purpose of your QMS. For instance, if your company manufactures infusion pumps, the manual should detail the processes and procedures specific to these devices. It should also include the organisation's quality policy and objectives, highlighting commitments to regulatory compliance, customer satisfaction, and continuous improvement.

Read our blog "Why a QM Manual is Key for High-Quality Standards" to discover how a QM Manual can ensure compliance and enhance your quality standars

Documenting Standard Operating Procedures (SOPs)

Next, develop and document Standard Operating Procedures (SOPs) for critical processes such as design control, risk management, and record control. The output of these procedures should be the technical documentation that will allow creation of production documents. These documents should be sufficiently detailed: a SOP for the sterilisation of surgical instruments should specify the steps, equipment, and quality checks involved, as well as work instructions for specific tasks, such as assembling pacemakers, that allow consistency and accuracy. Implement a document control system to manage and update QMS documentation, ensuring that all documents are reviewed, approved, and kept current. Maintain records that demonstrate compliance with ISO 13485, including training records, audit reports, and corrective action records, and ensure they are accessible for audits.

Process Mapping and Interaction

Process mapping is another crucial aspect. Identify and map out key processes such as design and development, including phases like concept, feasibility, design, and validation. For example, a company developing a new prosthetic limb should detail each stage from initial concept to final validation. Document production processes, such as material handling and assembly, to ensure clarity and consistency. Define how processes interact and integrate with the overall QMS.

Implementing Continuous Improvement with the PDCA Cycle

Integrating the Plan-Do-Check-Act (PDCA) cycle, a proven framework for driving continuous improvement and maintaining a responsive, effective QMS, can help establish a successful QMS.

The PDCA cycle includes:

Plan: Define clear actionable objectives, allocate necessary resources, set timelines, and establish methods. For example, a company might aim to reduce the time-to-market for a new device by 10% by streamlining its design processes. This phase involves setting objectives, determining resources (e.g. budget or specialised personnel), establishing key milestones, and developing standard operating procedures (SOPs) to guide the process.
Do: Execute the planned processes, ensuring alignment with your quality policy. This includes implementing new procedures, training staff, and managing resources efficiently. For instance, once a new design control process is in place, it should be applied to prototype development, with the team trained on latest quality control techniques.
Check: Continuously monitor and measure the performance of processes and products. This involves collecting data on metrics like defect rates, reviewing performance against targets, and identifying areas for improvement. For example, compare defect rates before and after implementing new controls to provide insights into their effectiveness.
Act: Based on the performance data, take corrective and preventive actions to address issues and enhance processes. This might involve redesigning components or revising procedures to improve efficiency or prevent recurring problems. For instance, if a redesigned component still causes issues, further refinement may be necessary.

The PDCA cycle gives a robust foundation for ongoing quality and improvement that forms the foundation for an ISO 13485 QMS. Implementing this cycle throughout QMS design, development and maintenance is likely to facilitate the certification process.

Resource Allocation and Training

Finally, focus on resource allocation. Define roles and responsibilities within the QMS, ensuring that staff understand their quality management duties. For example, designate personnel to oversee quality control in medical imaging equipment production and provide relevant training, such as on ISO 13485 requirements and internal auditing. Allocate necessary resources, including equipment and facilities, to support the QMS. Ensure calibration equipment is available for testing and facilities are properly equipped for product storage and handling. Establish maintenance and calibration procedures to ensure equipment reliability. Finally, allocate a budget for QMS development and maintenance, covering training, audits, and updates to processes and equipment.

Step 3: Conducting a Gap Analysis for ISO 13485 Certification

Takes the ISO 13485 standard and add any content established in the framework developed in Step 1. Review your existing Quality Management System (QMS) documentation, including quality manuals, procedures, work instructions, and records, against the standard and additional requirements. For example, when assessing your design control processes for a medical device, ensure that your documentation aligns with ISO 13485 requirements as well as any national requirements for the jurisdictions where you will place your devices. Evaluate critical processes such as product development, risk management, and quality control.

Identifying Compliance Areas

Identify compliance areas by checking if your QMS aligns with ISO 13485 standards and relevant regulatory requirements. Review your post-market surveillance processes to ensure they meet regulatory expectations for monitoring and addressing adverse events, noting the different data collection and reporting requirements in the different jurisdictions. Compare your internal practices with ISO 13485 requirements to pinpoint discrepancies.

Documenting Gaps and Creating a Gap Analysis Report

Document any gaps between your current QMS and the ISO 13485 standard. This may include non-conformities, such as incomplete risk management documentation, or process inefficiencies, like inadequate internal audits. Create a gap analysis report that summarises your findings, including identified discrepancies and areas for improvement, and prioritise these gaps based on their impact on compliance and product quality.

Developing and Implementing an Action Plan

Develop a detailed action plan to address the identified gaps. Define specific corrective actions, such as updating design verification procedures or enhancing documentation practices, as well as assigning responsibilities to relevant team members. For instance, designate a team to revise quality manuals based on the gap analysis findings. Establish a timeline for implementing corrective actions, including deadlines for updates and training sessions, and define milestones to track progress.

Regularly monitor progress to ensure that corrective actions are effectively implemented. Conduct periodic reviews to verify that updated procedures are followed and that gaps have been addressed. Establish a feedback loop to assess the effectiveness of corrective actions and make necessary adjustments. For example, gather staff feedback on new procedures and resolve any issues that arise to ensure ongoing compliance and improvement.

Step 4: Implementing Necessary Changes

Once completing the gap analysis and identifying corrective actions, the next step is implementing these changes effectively. Begin by following your change management process to revise existing procedures or create new ones to address the identified gaps. For example, if your risk management procedures were insufficient, update them to include more comprehensive risk assessment and mitigation strategies. Ensure all documentation is properly controlled, tracked, and versioned with a robust document control system.

Enhance work instructions to ensure they are detailed, clear, and aligned with ISO 13485 requirements. For instance, provide explicit instructions on handling non-conforming products to ensure consistency. Make these instructions easily accessible, possibly through digital platforms, so all relevant personnel have the most current information.

Training is vital in this phase. Offer targeted training on the new or revised procedures. For example, if design validation processes have been updated, train employees on these new requirements. Document training sessions, including attendance and feedback, to ensure compliance and assess effectiveness. DQS Academy offers ISO 13485 training courses that can support this effort.

Integrate the changes into daily operations by ensuring new procedures are consistently followed. Monitor their application closely and communicate the changes to stakeholders through internal memos or meetings. Gather feedback to identify any issues and make necessary adjustments. For instance, gather input on the usability of updated work instructions.

Finally, establish performance metrics to measure the effectiveness of the changes. Track key performance indicators related to quality control and conduct regular reviews to assess whether the new procedures are improving outcomes. Adjust processes based on monitoring results and feedback, incorporating best practices and lessons learned to continually enhance your QMS.

Step 5: Conduct an Internal Audit

Planning and Scheduling the Internal Audit

Start by establishing a clear internal audit plan that defines the scope, and objectives based on areas needing review. For instance, when focusing on new design control procedures, ensure this is reflected in the audit plan. Set up a schedule to cover all relevant QMS areas systematically and select auditors experienced with ISO 13485 requirements.

Audit Execution and Reporting

During the audit, use a checklist to cover all key areas comprehensively. Conduct staff interviews to gauge adherence to procedures, such as verifying complaint handling processes. Gather evidence through document reviews and observations, such as checking design validation records to ensure compliance with ISO 13485.

Document your findings in an audit report, highlighting non-conformities and areas for improvement. For example, if gaps in document control are identified, detail these and recommend corrective actions. Communicate significant issues to top management and develop an action plan to address them. For instance, if staff training is inadequate, outline a plan to enhance training programs. Top management will document their review and decisions in their management review report of minutes.

After the audit, ensure corrective actions are implemented effectively. For example, revise process documentation and provide staff training as needed. Monitor these actions to confirm they resolve issues and prevent recurrence, and regularly update the internal audit process to maintain its relevance and effectiveness.

Step 6: Select a Certification Body

Selecting the right certification body is not only critical for achieving ISO 13485 certification, but also for facilitating smooth market roll out. An accredited body, like DQS, will conduct an independent assessment of your Quality Management System (QMS) to verify compliance with ISO 13485. Furthermore, our international offices provide certification services mandatory for entry into certain markets, such as Canada and the EU, and that support entry into other countries.

Accreditation ensures high standards of competence and impartiality. Accredited bodies meet stringent qualifications and follow consistent procedures, enhancing the reliability and credibility of the certification process. Their certification is widely recognised by regulatory authorities, industry peers, and customers, facilitating global market access. Accreditation also guarantees rigorous evaluations and ongoing monitoring, adding confidence to the certification process and supporting continuous improvement.

DQS stands out with extensive expertise in medical device certification and top-tier accreditation. Our auditors are highly skilled and accredited by recognised authorities such as the International Accreditation Forum (IAF), DaKKs, and SANAS, ensuring reliable and globally respected assessments.

Step 7: Project Planning

QMS assessment

Begin by ensuring that all Quality Management System (QMS) documentation is complete, accurate, and up to date. This includes your quality manuals, procedures, work instructions, and records. For instance, make sure that your design control procedures are thoroughly documented and reflect any recent updates. Organise all relevant documentation systematically, making it easily accessible for auditors. This organisation will facilitate a smoother review process, helping to prevent delays or issues during the audit.

Training

Next, focus on staff training. Ensure that employees are well-versed in ISO 13485 requirements, QMS processes, and their specific roles in the audit process. Effective training is key to ensuring that your team understands the standard's expectations and can clearly demonstrate compliance during the audit. Provide targeted training for key personnel, such as those involved in quality control or risk management. This preparation will equip them to respond confidently to auditors’ questions and provide the necessary evidence.

Step 8: The Certification Audit

Preparation

Preparation for the audit involves scheduling it with the certification body, confirming the scope and requirements, and ensuring all necessary documentation and resources are in place.

The audit

The audit happens in two defined stages:

Stage 1 Audit: reviews your QMS documentation to assess the completeness and adequacy of your quality policies, procedures, and records. This phase allows the auditor to understand your QMS and prepare for the Stage 2 audit. After it is complete, the auditor provides feedback on any deficiencies that should be addressed before the Stage 2 Audit. For high-risk medical devices, this audit is conducted on-site.
Stage 2 Audit: An on-site evaluation of your QMS implementation and effectiveness, where auditors assess how well your processes are executed and whether they meet ISO 13485 requirements. You must provide evidence of compliance, such as process performance data and records, and address any non-conformities promptly, communicating corrective actions to the certification body.

Final review and certification decisions

Once the audit is complete, the certification body performs a final review and Certification Decision. This process includes a thorough review of your QMS audit and any corrective actions to address non-conformities raised. If your QMS meets ISO 13485 requirements, the certification body will issue the ISO 13485 certification.

Maintaining Certification and Addressing Non-Conformities

Maintaining ISO 13485 certification and addressing non-conformities demands a commitment to continuous improvement and rigorous management. Regularly reviewing and updating your Quality Management System (QMS) ensures its ongoing effectiveness and compliance. By monitoring key performance indicators, you can proactively identify areas for enhancement. Periodic surveillance audits are crucial for confirming that your QMS remains aligned with ISO 13485 standards and for evaluating any changes made since the last audit.

When non-conformities arise, it’s essential to document them promptly, conduct a thorough root cause analysis, and implement corrective and preventive actions to address and prevent recurrence. Regular management reviews are necessary to evaluate QMS performance, the effectiveness of corrective actions, and to allocate resources for continuous improvement. Keeping detailed records of audits, non-conformities, corrective actions, and management reviews supports transparency and streamlines future audits. Engaging with your certification body for ongoing feedback and guidance ensures you stay updated on ISO 13485 requirements and maintain high standards of quality and compliance.

Conclusion

Achieving ISO 13485 certification is more than just a compliance exercise; it is a commitment to quality and safety in the medical device industry. By following the steps outlined in this guide—understanding regulatory requirements, developing a robust QMS, conducting thorough gap analyses, implementing necessary changes, and engaging in rigorous audits—your organization can not only meet the stringent demands of the ISO 13485 standard but also enhance its overall operational efficiency and market competitiveness.

Maintaining certification requires ongoing vigilance, continuous improvement, and a proactive approach to addressing non-conformities. Regular updates to your QMS, consistent training, and periodic surveillance audits will ensure that your processes remain effective and aligned with evolving regulatory standards. By embedding these practices into your organization’s culture, you will not only uphold the high standards required for ISO 13485 certification but also position your company as a leader in delivering safe, reliable, and high-quality medical devices.