Six Steps to ISO 13485 Certification

People frequently ask me where to find information about ISO 13485, but I always have trouble finding resources specific to certification. Therefore, I recently completed a white paper specific to ISO 13485 certification, and this article provides a brief overview of the sequential steps to the process.

There are six steps to preparing for ISO 13485 Certification:
1. Planning the Quality System
2. Meeting Regulatory Requirements
3. Implementing Design Controls
4. Documents, Records and Training
5. Management Processes
6. The Certification Audit

Step 1: Planning the Quality System
Section 5.4.2 of the ISO 13485 Standard includes a requirement for Quality Planning. Writing a Quality Manual is not sufficient to meet this requirement. You need documented Quality Plans for implementing changes to your Quality Management System, and creating a new Quality System from scratch is a big change. There is no required format for quality plans. Spreadsheets and Gantt Charts are the most common tools for quality planning.

As part of your Quality Plan, you should select a certification body. You are allowed to have a different certification body for each location, but I don’t recommend it. Instead, save yourself time and money by selecting one partner for all your locations.

In order to select a certification body, first you need to complete an application form and request a quote. Most Quality Managers contact a certification body they worked with in the past, or ask a friend for a referral. I recommend neither approach.

There is an official Europa page that helps you identify the complete list of “possible” candidates based upon the product category. If you’re licensing in Canada, you should refer to an even shorter list of possible certification bodies, which can be found on Health Canada’s website. The selection of your registrar is also an opportunity to create a record of supplier qualification.

Step 2: Meeting Regulatory Requirements
While developing your quality plan, you will need to define those global markets in which your company is going to seek regulatory approval. The most common markets for U.S.-headquartered device manufacturers are the U.S., Europe and Canada. Each of these markets has additional requirements:
1. In the U.S., medical device companies must comply with 21 CFR 820.
2. In Europe, device companies must comply with one of three directives: 1) the MDD for devices such as a knee implant, 2) the AIMD for active implantable devices or 3) the IVDD for in vitro diagnostic devices.
3. In Canada, the Canadian Medical Device Regulations (SOR/98-282) define the requirements for your company.

If your company is only interested in the U.S. market, certification is not required. In Europe, ISO 13485 Certification is the most common pathway for achieving CE Marking approval. In Canada, you will need a special type of ISO 13485 Certification called CMDCAS.

Step 3: Implementing Design Controls
Most clients have already implemented design controls. Therefore, that lies outside the scope of this article.

Step 4: Documents, Records and Training
One of the requirements for a Quality Manual is to define the process interactions for your Quality System. This is typically done by creating a process interactions diagram. The classical template for this diagram has three levels: 1) the bottom row includes support processes such as document control and training; 2) the middle row includes core processes such as purchasing, production and shipping and 3) the top row includes management processes. Each of these levels will have associated procedures, and these procedures will need to be controlled.

Therefore, the document control procedure should be the first procedure you write. This will serve as the foundation for the entire Quality System. When you approve this procedure, you will also want to approve any design control procedures and forms you have developed. Any approval documents will be records that will be controlled as Quality Records. Therefore, your record control procedure might be one of your early procedures to be approved as well.

Once you have approved procedures for document control, record control and design control, you will need to start documenting training on these procedures. Deciding how to document training is an important decision. You need to document training, effectiveness of training and competency. Once you have a training process, you are now ready to start writing the remaining procedures. There are 19 required procedures in the ISO 13485 Standard, and there will probably be another five or six procedures required by various national regulations. As you write each procedure, I recommend writing the corresponding section of your Quality Manual. This allows your Manual to grow organically over time, and the Manual will reflect what you actually do—instead of copying directly from the Standard. After several months, you should be done writing all of your procedures and your Manual should be about 50% complete. The remaining sections of the Manual can be filled in clause by clause.

Step 5: Management Processes
The primary management processes are: CAPA, Internal Auditing and Management Review. I recommend implementation of these management processes after most of the other processes have been implemented, but you may decide to implement the CAPA process and/or Management Reviews earlier as tools to help manage your business.

I recommend a specific sequence of implementation for these three management processes when preparing for ISO 13485 Certification. The first process to implement is internal auditing. During the internal auditing process, as a consultant
I typically help clients (the new Quality Manager) perform this internal audit, and we look at all processes with the exception of CAPA and Management Review—which have not been implemented yet. This gives me an opportunity to supplement your auditor training—if needed.

This internal auditing always identifies some areas of weakness that are documented as nonconformities. These nonconformities are then used to implement the CAPA process as the first corrective and preventive actions. During the internal audits, you specifically look for trends that may lead to future problems. This proactive approach is the best source of preventive actions; you will identify important metrics for each process.

After you have written corrective action plans for each of your audit findings, and you have identified at least one preventive action, you are now ready to conduct your first Management Review. The requirements for a Management Review are simple and take up less than a page in the ISO 13485 Standard. Therefore, help yourself by creating a Management Review template that includes each requirement on a separate slide. Put this template under document control. Don’t delete any of the slides when you are preparing a Management Review.

The last step of implementing management processes is to have an independent person perform an audit of the Internal Auditing, CAPA and Management Review. This internal audit may be performed by a consultant if someone within the company is not qualified. This audit may also be done completely as a remote audit, because the Management Representative for the company is the primary person you need to interview and all the records should be easy to email and discuss over the phone. Once you have completed this audit and written corrective action plans for any findings, then you are ready for the Stage 1 certification audit.

Step 6: The Certification Audit
For certification audits, ISO 17021 requires that a Stage 1 and Stage 2 audit be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document, which is primarily based upon the number of employees in the company.

Historically, the certification process would begin with a desktop audit of procedures. The problem with this approach is that some companies did not have records to verify that the systems were fully implemented. The new two-stage process now includes a review of records from the internal auditing, CAPA and management review processes during Stage 1. This is why
Step 5 must be completed before the Stage 1 certification audit.

The Stage 1 audit is typically a one day audit. At the end, you receive a report indicating positive and negative findings. The auditor also indicates if your company is ready for Stage 2. Negative findings, or nonconformities, require corrective action plans to be submitted and accepted. Depending upon the timing of the Stage 2 audit, it may not be possible to fully implement corrective actions prior to the second stage. I recommend six weeks between the two stages so that minor issues can be completely resolved and there is sufficient evidence of progress for 100% of the issues identified during Stage 1.

The Stage 2 audit may involve multiple auditors and multiple days. During this audit, all the remaining processes in your Quality System will be audited. If there is an absence of a major requirement, this can prevent a recommendation for certification by the auditor. Usually the auditor will identify a few additional issues that require corrective action, but if the issues are minor, only corrective action plans will be required. If issues are major, then the auditor may need to return for one more day to verify that the issues are resolved before they can recommend certification.

Once the auditor completes his report and recommends certification, he must review and accept your corrective action plans for each of the Stage 2 findings. Upon acceptance of the corrective action plans, there will be an internal review of all documentation by the certification body. The final certificate is typically issued within about a month of accepting the corrective action plans.

Robert Packard of Packard Consulting is a regulatory consultant with 20 years of experience developing products and managing projects in the medical device, biotechnology and pharmaceutical industries. His experience includes research, product development, operations management, manufacturing engineering, equipment design, regulatory affairs, quality assurance and fund-raising. Rob’s passion is training others. Specific questions about ISO 13485 Certification or Quality System training can be directed to Mr. Packard at This email address is being protected from spambots. You need JavaScript enabled to view it.