The video provided below explains what is included when you purchase our standard operating procedures (SOPs) for ISO 13485:2016.

Do you need Standard Operating Procedures?

Our turnkey quality management system for compliance with ISO 13485:2016 includes all of the standard operating procedures (SOPs) required by the standard and 21 CFR 820, 21 CFR 803, and 21 CFR 806 for the FDA. It also includes procedures for Canadian Medical Device Licensing and European CE Marking. In total, we have 46+ procedures (listed below). The standard operating procedures (SOPs) also have associated forms, logs, and templates. We also completed updates to our procedures for Regulation (EU) 2017/745.

Turnkey Quality System - Global (1 of 4 installments)

The turnkey quality system - Global costs a total of $8,500, but we offer you the option to pay in four monthly installments of $2,125. If you want to make other payment arrangements, please contact Becca Taylor @ becca@medicaldeviceacademy.com.

Price: $2,125.00

If your company is only interested in compliance with the US Market (i.e., 21 CFR 820, 21 CFR 803, 21 CFR 806, 21 CFR 830 for the FDA), we offer a turnkey quality system for the US-only market at a reduced price of $6,000. The US-only turnkey quality system does not include the seven procedures identified below as “Global”. There are additional pricing options and configurations of the turnkey quality system described at the end of the work instruction that you can view when you click on the button below. However, please remember that “turnkey” does not mean “work-free“. It takes approximately 100-120 hours to implement a medical device quality system and after you implement the quality system it will take at least 4-8 hours per week to maintain the quality system for even the smallest start-up with most processes outsourced.

Turnkey Quality System - US Only (1 of 4 installments)

The turnkey quality system - US Only costs a total of $7,000, but we offer you the option to pay in four monthly installments of $1,750. If you want to make other payment arrangements, please contact Becca Taylor @ becca@medicaldeviceacademy.com. The US-only version does not include 6 of the procedures marked as "Global".

Price: $1,750.00

In addition to procedures, forms, log sheets, and templates, the quality management system includes an initial draft of your new quality. These documents require customization to fit your operations, such as the identification of your company name and logo. The Medical Device Academy logo and [Company Name] are included within the documents as placeholders. We also provide 16 pre-recorded training webinars. We also provide exams (i.e., 10-question quizzes) to verify training effectiveness. If you submit the completed exams to us by email in the native MS Word format, we will correct the exams and email you a training certificate with your corrected exams. The list of training webinars included with our turn-key quality system is provided below:

1. Good Documentation Practices
2. Design Controls
3. Risk Management
4. How to qualify your suppliers
5. Control of Nonconforming Product
6. How to create a risk-based CAPA process
7. 21 CFR 820
8. Process Validation
9. Management Review
10. Complaint Handling and Vigilance
11. How to audit using the process approach webinar
12. UDI
13. Software Validation
14. Create an ISO 13485 Quality Plan
15. What is ISO 13485? – Stage 1 & 2 training webinars
16. Design Change Webinar (Updated for 2022)

Finally, you will receive up to 8 hours of consultation to discuss any questions or assist with adjustments and edits for your individual system and situation delivered through email, phone, or Zoom Meetings.

If you are thinking about purchasing standard operating procedures (SOPs), instead of writing procedures yourself, it’s essential to understand the intent of the author that wrote the procedures. Many buyers expect to “pay by the pound.” After writing hundreds of procedures, I found that it requires more work to write a short and effective procedure than a 50-page dust collector.

If a company has a sophisticated quality management system, procedures tend to be lengthy, because each time an auditor finds a problem, another section is added to “clarify” the procedure. I try to write standard operating procedures that are concise and meet the requirements for an early-stage medical device company. Larger companies do not ask me to write many procedures. They ask me to audit procedures and to edit their procedures, but they seldom want me to start from scratch.

When Medical Device Academy writes standard operating procedures, we use a standard template for the sections. Almost everyone does this, but our template contains three unique elements:

1. monitoring and measurement requirements for the process
2. training and retraining requirements for personnel
3. application of risk management

The video below is describing our new work instruction for how to implement the turnkey quality system. You can download the work instruction using the button above. The work instruction is specific to the Medical Device Academy team, but anyone may copy the content of this work instruction and adapt it to their quality system implementation needs. If you want a quote for the quality system, please contact Lindsey Walker directly at sales@medicaldeviceacademy.com.

There is a section of the work instruction that is specific to creating a project in Asana. The above video shows you how to copy the 15 steps of the quality system implementation from the work instruction into a spreadsheet. Then this is saved as a .csv file (download link). Finally, the video shows you how to import the .csv file into Asana so that you can create a project in Asana for tracking and managing the implementation of Medical Device Academy’s turnkey quality system. The video was specifically designed for the free version of Asana if you need to share the project in Asana with people outside of your organization or you do not have the budget for Asana’s paid version.

If you want to learn more about our procedure template, please read our blog about it. You can also search our blog archives for the term “SOP” or “procedure.”  Other product highlights are provided below, and the button below gives you a complete list of all our procedures, forms, templates, and logs.

• Written specifically for early-stage medical device companies
• Create a ready-made off-the-shelf Quality System for your company
• Includes free updates for the ISO 13485:2016 as they become available
• Can be used for FDA 483 responses
• Are audit-ready
• Incorporates risk management into each procedure
• Includes monitoring and measurement requirements for the process
• Includes training and retraining requirements for personnel
• Written by highly experienced industry subject matter experts

If you want to purchase individual procedures or review what is included in a specific procedure, you can click on any of the hyperlinks provided below. If there is not a hyperlink, we will have one soon, or we can review the content with you in a Zoom session.

Each month Alysha picks a new procedure or webinar that will be eligible for the “Alysha” 50% discount. Just type Alysha in the discount code box. November’s discounted procedure is SYS-023 Nonconforming Product Procedure.

• POL-001 Quality Manual (Webinar Bundle)
• WI-002 Remote Auditing Work Instruction (Webinar Bundle)
• WI-003 Electronic Submission Gateway Work Instruction
• WI-007 Cybersecurity Work Instruction (Webinar Bundle)
• WI-008 Security Incident Response Policy (Webinar Bundle)
• WI-009 Conducting FDA Inspections (Webinar Bundle)
• SYS-001 Document Control (Webinar Bundle)
• SYS-002 Control of Records (Webinar Bundle)
• SYS-003 Management Review (free example with two webinars)
• SYS-004 Training Procedure (Webinar Bundle)
• SYS-005 Facility, Plant and Equipment Maintenance (Webinar Bundle)
• SYS-006 Change Control (Webinar Bundle)
• SYS-007 Customer Related Processes (Webinar Bundle)
• SYS-008 Design Controls (Webinar Bundle)
• SYS-009 Clinical Procedure (Webinar Bundle)
• SYS-010 Risk Management (Webinar Bundel)
• SYS-011 Supplier Quality Management (Webinar Bundle)
• SYS-012 Production Process Controls (Webinar Bundle)
• SYS-013 Servicing (Webinar Bundle)
• SYS-014 Process Validation (Webinar Bundle)
• SYS-015 Distribution Procedure (Webinar Bundle)
• SYS-016 Calibration (Webinar Bundle)
• SYS-017 Monitoring, Measuring & Data Analysis (Webinar Bundle)
• SYS-018 Customer Feedback & Compliant Handling (Webinar Bundle)
• SYS-019 Post-Market Surveillance
• SYS-020 Recalls & Advisory Notices (Webinar Bundle)
• SYS-021 Quality Audits (Webinar Bundle)
• SYS-022 Statistical Techniques
• SYS-023 Nonconforming Product (Webinar Bundle)
• SYS-024 CAPA (Webinar Bundle)
• SYS-025 Technical Documentation – Global
• SYS-026 Installation
• SYS-027 Purchasing
• SYS-029 Medical Device Reporting (Webinar Bundle)
• SYS-030 Labeling Procedure
• SYS-031 EO Sterilization Validation
• SYS-032 Identification & Traceability
• SYS-033 Receiving Inspection (Webinar Bundle)
• SYS-034 Monitoring of Controlled Environments
• SYS-035 Incident Reporting – Global
• SYS-036 Vigilance Reporting – Global
• SYS-037 Implant Card Procedure
• SYS-038 Controlled Environment Gowning
• SYS-039 UDI Procedure
• SYS-040 Controlled Environment Cleaning
• SYS-041 Clinical Evaluation Procedure – Global (Webinar Bundle)
• SYS-042 Canadian Licensing Procedure – Global
• SYS-043 Steam Sterilization Validation Procedure
• SYS-044 Software Development and Validation Procedure (Webinar Bundle)
• SYS-045 Returned Materials Authorization Procedure
• SYS-046 Packaging Validation Procedure
• SYS-047 GAMMA Sterilization Validation Procedure
• SYS-048 Usability Procedure (Webinar Bundle)
• SYS-049 Communication with competent authorities, notified bodies and other economic operators – Global
• SYS-051 Software Tool Validation Procedure (Webinar Bundle)
• SYS-052 Translation Procedure – Global
• SYS-053 Medical Device File Procedure (Webinar Bundle)
• SYS-054 VHP Sterilization Validation (Webinar Bundle) – October 7, 2024

Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.

What is ISO 13485?

ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.

Do you have to purchase a copy of ISO 13485?

Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:

“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”

The most recent version of ISO 13485 webinars

The webinars explaining the requirements for ISO 13485 were last updated in 2020. Anyone who purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:

• access to the Stage 1 webinar recorded on July 24, 2020
• access to the Stage 2 webinar recorded on July 28, 2020
• native slide decks for both webinars

This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.

Webinar duration & format

Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox. 

Purchase the ISO 13485 training bundle

ISO 13485:2016 Training Webinars - Stage 1 & Stage 2

The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get: 1 - access to the Stage 1 webinar recorded July 24, 2020 2 - access to the Stage 2 webinar recorded July 28, 2020 3 - native slide decks for both webinars

Price: $258.00

Exam and Training Certificate available

Exam - ISO 13485:2016 update

This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.

Price: $49.00

There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.

Step 1 – Planning for ISO 13485 certification

There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.

Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.

Task 1 – Purchase applicable standards

The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.

When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).

Task 2 – Identify which processes are applicable

Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based on the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:

1. Clause 4.1.6 – quality system software
2. Clause 6.4 – work environment
3. Clause 7.5.2 – cleanliness of the product
4. Clause 7.5.3 – installation
5. Clause 7.5.4 – servicing
6. Clause 7.5.5 – sterile devices
7. Clause 7.5.6 – process validation
8. Clause 7.5.7 – sterilization validation
9. Clause 7.5.9.2 – implantable devices
10. Clause 7.5.10 – customer property
11. Clause 8.3.4 – rework

Task 3 – Assign a process owner to each process 

The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.

Task 4 – Prioritize and schedule the implementation of each process

The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.

Task 5 – Create forms, flowcharts, and procedures for each process

Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.

Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) a risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management. 

Task 6 – Perform a gap analysis of each procedure

Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major rewrite of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.

Task 7 – Train applicable personnel for each process 

You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training to ensure consistency. Design controls training should be the first priority. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typically 30 days after approval to allow time for training.

Task 8 – Approve the procedure 

Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turnkey quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.

Task 9 – Start using the procedure and generating records

The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.

Step 2 – Conducting your first internal audit

The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).

After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.

Step 3 – Initiating corrective actions

Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.

Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.

Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions.  Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.

Step 4 – Conducting your first management review 

In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.

At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these note pages is provided in the figure below.

One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.

Step 5 – Stage 1, Initial ISO 13485 Certification Audit

In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.

Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” non-conformities. The term “major” used to have a specific definition:

1. Absence of a documented procedure or process
2. Release of nonconforming product
3. Repeat nonconformities (not possible during Stage 1)

Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.

The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.

After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.

Step 6 – Stage 2, Initial ISO 13485 Certification Audit

The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.

The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:

1. Applicable regulatory requirements
2. Product and process-related technologies
3. Technical documentation

All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.

If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.

In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third of the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.

Q&A

There are no stupid questions, and we can save you weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard at rob@fdaestar.com. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Portal.” You can also schedule an initial free consultation with Rob using his calendly link.

About Your Instructor

Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.281.4381 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.

This ISO 13485 quality plan webinar will teach you how to create a quality plan step-by-step for compliance with ISO 13485:2016.

When is the ISO 13485 Quality Plan webinar?

The ISO 13485 quality plan webinar will be hosted as a live webinar on June 16, 2020, at 8:30 am EDT. When you purchase this webinar, you will receive an invitation to participate in the live webinar. Everyone that registers for the webinar will receive a link to download the recording if they are unable to attend the live webinar.

Description of ISO 13485 quality plan webinar

If you aren’t sure what is ISO 13485? please visit our 2-part training webinar on the topic. If you’re planning to implement an ISO 13485:2016 quality system at your company or thinking about it. Maybe you are a medical device company with an existing quality management system that needs to implement ISO 13485:2016 in order to expand into export markets, such as Canada, Europe, Japan, or Australia. Maybe you are a supplier to the medical device sector who is required to implement ISO 13485:2016 to retain a customer or to attract new ones. Whatever external factors are driving you toward ISO 13485:2016 certification, you also have the opportunity to build a quality system that will be a source of competitive advantage to your company.

In the ISO 13458 quality plan webinar, you will learn how to develop a quality plan for implementing ISO 13485:2016 in your organization, how to resource and implement that plan, and then achieve ISO 13485:2016 certification in a timeframe that works for your company. You will also learn how to:

• Choose a certification body and schedule audits
• Build a simple, logical document structure
• Analyze which documents must be written or modified
• Integrate the ISO 13485:2016 quality system with other systems already in place
• Identify the records that must be maintained
• Plan the rollout and the training that is required
• Consider the change management aspects of the project

Who should attend the ISO 13485 quality plan webinar?

• Supplier quality
• Quality assurance
• Auditors
• Lead auditors
• Audit program managers
• Senior management

Additional Resources Related to Quality Plans

The following blogs include additional information related to creating quality plans:

• MDR Quality Plan – for EU Regulation 2017/745 Compliance
• How to write a quality system plan template (free download)
• How to implement a new ISO 13485 quality system plan in 2016

VIEW OUR PROCEDURES – CLICK HERE OR IMAGE BELOW:

About Your Instructor

Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.281.4381 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.