The author provides 5 steps in preparing for the ISO 13485 certification process, and

his own insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO

13485 registration. I wrote a blog recently about Quality Management Systems in
General, but I had trouble finding resources specific to the ISO 13485 registration
process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better
way to learn it is to take a course on it. I used to teach a two-day course on the topic for
BSI. The link for this course is: http://bit.ly/Get13485; I shortened the link to the BSI
website.

Other registrars offer this course too. I suspect you can find a webinar on this through
TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have
copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on site or
via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company
specifics and its quality assurance certification requirements; [THE REGISTRAR]
explains its working methods and partnering philosophy, and previews the details of the
process.

Rob’s 2 Cents

As a client I have completed two initial certifications personally and three transfers, but I
have only once had the sales representative actually visit my company. I think this
process is typically accomplished by phone and email. If any registrars are reading this,
you will close on more accounts if you visit prospective clients personally. In fact, the
one that actually visited my company (Robert Dostert) has been on speed dial for
almost a decade and he’s received repeat business.

 
 

2. Application Form

The client chooses to move forward by filling out an online application form. Based on
the information obtained during the inquiry stage, along with the application form, [THE
REGISTRAR] prepares a quote, free of charge, for the entire certification process. A
client-signed quotation or purchase order leads to the first stage of the certification
process.

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and
requested quotes from multiple Notified Bodies. During the quoting process, my friend
Robert was more responsive and able to answer my questions better than the
competition. Robert was also able to schedule earlier audit dates than the competition.
To this day, I am still amazed that Notified Bodies are not more responsive during this
initial quoting process. All of the Notified Bodies are offering a certificate (a commodity).
The customer service provided by each Notified Body, however, is not a commodity.
Each Notified Body has its own culture, and every Notified Body has good and bad
auditors. Therefore, you need to treat this selection process just like any other supplier
selection decision. I have provided guidance on this specific selection process on more
than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails

verifying the documented quality systems against the applicable standard. [THE
REGISTRAR] works with the client to establish a working plan to define the [THE
REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will
perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose
business activities for auditing, and to test those activities against the applicable
standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality
auditing methods and style. The results of the trial audit can be used toward
certification. Most clients elect for one or two days of trial auditing.

Rob’s 2 Cents

Dekra’s statement that, “The results of the trial audit can be used toward certification,” is
100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate
wording used in BSI quotations is, “The pre-assessment is an optional service that is an
informal assessment activity intended to identify areas of concern where further
attention would be beneficial and to assess the readiness of the quality management
system for the initial formal assessment.” During these pre-assessments, BSI auditors
explain that any findings during the pre-assessment will not used during the Stage 1
and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the
clients I conducted pre-assessments for were skeptical of this, but most auditors are
ethical and make every effort to avoid even the perception of biasing their sampling
during the Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and

tough pre-assessment, so that the organization is well prepared for the certification
audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not
available to conduct a pre-assessment, try to find a consultant that knows the auditor’s
style and “hot buttons” well. FYI…You can almost always encourage me to do a little
teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal
auditing and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE
REGISTRAR] will conduct an audit to determine its effective implementation.  [THE
REGISTRAR] uses a professional auditing interview style instead of a simple checklist
approach. This involves interviewing the authorized and responsible personnel as
designated in the documented quality system.

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be
conducted. The combined duration of the certification audits must be in accordance with
the IAF MD9 guidance document–which is primarily based upon the number of
employees in the company. The “interview style” that Dekra is referring to is called the
“Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this
is the primary method recommended by the ISO 19011 Standard for auditing–although
other methods of auditing are covered, as well.

5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as

requested by the client.
Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of

surveillance audits becomes unrealistically short when the auditor is asked to split their
time between two semi-annual visits. A few clients have indicated that the semi-annual
audits help them by maintaining pressure on the organization to be ready for audits all
year-round, and prevents them from procrastinating to implement corrective actions.
This is really an issue of management commitment that needs to be addressed by the
company. Scheduling semi-annual surveillance audits doesn’t address the root cause.
The only good argument I have for semi-annual cycles is if you have very large facilities
that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure

that you schedule the audits well before the anniversary date. I recommend 11 months
between audits. By doing this, you end up scheduling the re-certification audits three
months before the certificate expires. BSI has a different policy. They want auditors to
schedule the first surveillance audit 10 months after the Stage 2 audit, the second
surveillance audit 12 months after the first surveillance audit, and then the re-
certification audit must be scheduled at least 60 days prior to certificate expiration (i.e.,
– no more than 12 months after the second surveillance audit). No matter what,
schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a
discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For
example, on Monday a new discussion question was posted asking for help with
selection of a Notified Body for CE Marking. You will need to become a member of the
parent group (Medical Device Group)–if you are not already one of the 140,000+
members connected with Joe Hage. George Marcel and I manage this subgroup for
Joe. George is out in the Bay Area and I’m in the Green Mountains.

Save