ISO 13485 audit is the methodology through which certification body performs the assessment of a quality system of an organization and issue the related ISO 13485 certificate, upon successful completion of the assessment. 

ISO 13485 is a topic that has been extensively discussed, including the most significant requirements and the most important processes that support the whole quality system of an organization. For example, we have been discussing about design process, management review, post-market surveillance, supplier management, customer related processes, among many others. 

In this article we will focus on how to manage ISO 13485 audits, how these audits are structured and other important tips that you need to know to be successful on ISO 13485 assessment. 

The Certification Cycle

We need to split the ISO 13485 performed at the beginning of the certification cycle or during the certification cycle. 

ISO 13485 audit at the beginning of the certification cycle are basically certification or re-certification audit. The ISO 13485 certification audit is basically the audit that is performed for the first certification of the company; the certification cycle is lasting 3 years (that is the validity of ISO 13485 certificates) and each year there is a surveillance audit. At the third year, at the end of ISO 13485 validity, there is the re-certification audit, and the certification cycle will restart. 

ISO 13485 Certification Audits 

The certification audits, thus the audits performed for the first certification, consists of two different steps, typically named Stage 1 and Stage 2 Audits. 

Stage 1 audit has the purpose to ensure the Standard Operating Procedures for all the QMS processes are in place and that the most important QMS processes such as management review and internal audits have been implemented. Typically stage 1 is performed remotely, however it can be done on-site in case of high-risk devices. 

Stage 2 is the real certification audit, and it consists in a full QMS audits where auditors are checking the correct implementation of all the QMS processes, according to the requirements of ISO 13485. 

Audit Findings Classification

The deviations that the auditors are highlighting are typically named as non-conformities. There are in general two types of non-conformities: major and minor. 

A major non-conformity is a non-conformity that affects the capability of the management system to achieve the intended results. The document IAD MD 9:2022 provides a list of examples of major non-conformities:

• failure to address applicable requirements and implement an entire process for quality management systems. 
• failure to implement applicable requirements for quality management systems.
• failure to implement appropriate corrective and preventative action when an investigation of post market data indicates a pattern of product defects. 
• products which are put onto the market and cause undue risk to patient and/or users when the device is used according to the product labelling. 
• the existence of products which clearly do not comply with the client’s specifications and/or the regulatory requirements.
• repeated nonconformities from previous audits.  

Resolution of non-conformities

When non-conformities are raised, a corrective action plan needs to be submitted to the notified body. In case of major NC, sometimes an additional on-site audit is required to properly check the implementation of the corrective actions proposed by the manufacturer. In case of minor NC, the CAPA plan is submitted and accepted by the auditor; the implementation of the corrective actions and the closure of the related non-conformities is performed during the next assessment visit. 

Opening Meeting and Closing Meeting 

Any audit starts with the opening meeting. In a context of ISO 13485 audit, the opening meeting is performed to collect information on specific topics: 

• confirmation of the scope of ISO 13485.
• get information if any adverse events have been communicated to competent authorities.
• information on the name of management representative and senior management of the organization.
• Information on any substantial change performed to the quality system, to the products or to the product range. 

The closing meeting, instead, it is typically performed to communicate the results of the audit and the non-conformities that were raised during the assessment. 

ISO 13485 Audit Checklist

QualityMedDev has prepared and ISO 13485 Audit Checklist that can be used to support audit preparation against the requirements of ISO 13485; this checklist can also be useful during internal audits or audit to supplier. The use of this ISO 13485 audit checklist is extremely easy and provides an efficient way to have all the requirements in one unique document. It is not necessary to use all the checklist at the same time; depending on the audit scope and audit criteria, only the section of the checklist that covers the audit criteria can be used.

Subscribe to QualityMedDev Newsletter

QualityMedDev is an online platform focused on Quality & Regulatory topics for medical device business; Follow us on LinkedIn and Twitter to stay up to date with most important news on the Regulatory field.

QualityMedDev is one of the largest online platform supporting medical device business for regulatory compliance topics. We provide regulatory consulting services over a broad range of topics, from EU MDR & IVDR to ISO 13485, including risk management, biocompatibility, usability and software verification and validation and, in general, support in preparation of technical documentation for MDR.

If you have any topic for which you would like to have more information or you need template or documentation that is currently not available in our QualityMedDev Shop, do not hesitate to contact us and we will do our best to fulfil your request.

Recently we introduced our Compliance Kits related to EU MDR 2017/745 and post-market surveillance activities. These compliance kits include different guidelines, ebooks, templates and procedures that are essentials.

Moreover, do not hesitate to look at our EU MDR E-book and EU IVDR E-Book collecting a vast number of information on topics related to the European Medical Device Regulation 2017/745 and In-Vitro Diagnostic Regulation 2017/746.