If you are using ISO 13485:2016 to create a Quality Management System (QMS) for your medical device company, you will likely consider certification against this standard. Certification by an independent third-party registrar is a good way to demonstrate the compliance for your company, but you can also certify individuals in your organization along the way.
So, what is ISO 13485 certification, you may ask?
Difference between company certification and personal certification
ISO 13485 certification is a general term that is used for two main things. First, you can certify a company, i.e., certify its medical device Quality Management System. Certification of the company QMS involves implementing all of the requirements in the ISO 13485:2016 standard, and then having auditors from an independent third-party certification body come and verify that your QMS processes meet all of the requirements of the ISO 13485 standard. Your QMS is then certified.
Second, you can certify individuals because you will need people in your organization to gain knowledge about ISO 13485 in order to implement and maintain the necessary processes, including the critical process of internally auditing your QMS on an ongoing basis to verify conformance and find improvement. These individuals may find that certified training is helpful in gaining these skills.
What does it mean to be ISO 13485 certified?
There are several steps a company needs to perform to be eligible for ISO 13485 certification. For a company to be certified against ISO 13485, it needs to be in the medical device industry. Then, the ISO 13485 certification process starts with the decision to use the ISO 13485 requirements to create your QMS. The process of implementation is then to create and document all of the processes required by the ISO 13485 standard, as well as customer and regulatory needs.
Once all of the processes and procedures are in place, you will need to operate the QMS for a period of time. By doing this, you will be able to collect the records necessary to go to the next steps: to audit and review your system and get certified. After finishing all your documentation and implementing it, your organization also needs to perform these steps to ensure a successful certification:
Internal audit – The internal audit is in place for you to check your QMS processes. The goal is to ensure that records are in place to confirm compliance of the processes and to find problems and weaknesses that would otherwise stay hidden.
Management review – A formal review by your management to evaluate the relevant facts about the management system processes in order to make appropriate decisions and assign resources.
Corrective actions – Following the internal audit and management review, you need to correct the root cause of any identified problems and document how they were resolved.
Learn more about the implementation process here: Checklist of ISO 13485 implementation steps.
After the implementation is completed, you will need to hire a certification body to send auditors to assess your QMS against the ISO 13485 requirements (see next section for details). When this third-party audit is completed, and they determine that the system you have in place meets all of the ISO 13485 requirements, the certification body will issue a certificate stating that your company’s QMS meets ISO 13485. You can then consider your company to be ISO 13485 certified, and you will start the cycle of maintaining your QMS.
ISO 13485 certification process for companies
The company certification process is divided into three stages:
Stage One (documentation review) – The auditors from your chosen certification body will check to ensure your documentation meets the requirements of ISO 13485. You’ll receive an audit report detailing the areas in which you are compliant, as well as those in which you have problems. You will then be given an opportunity to implement the necessary corrective actions to resolve the problems. This is often done during the same timeframe given for the initial operation of the Quality Management System.
Stage Two (main audit) – Here, the certification body auditors will check whether your actual activities are compliant with both ISO 13485 and your own documentation by reviewing documents, records, and company practices. During this audit, the certification body will send auditors to have a look at the records you have collected through the operation of QMS processes. These records will include those from management review, internal audits, and corrective actions.
When the review is completed, which often takes a few days, the auditors will provide you with an audit report that outlines their findings, including their determination as to whether or not your QMS appears to be effective, and if it complies with the requirements of the ISO 13485 standard. If they find that your QMS meets all of the requirements set out for it, the auditors will recommend you for certification. If they have found any major nonconformances, you will have an opportunity to implement corrective action to make sure the problems are resolved, and that you are ready for certification.
Stage Three (surveillance audits) – The requirements of ISO 13485 mandate that the QMS be maintained and improved, meaning that your ISO certification is not simply a one-time activity. Typically, there is a three-year audit cycle for ISO 13485, which starts with the initial certification audit, which will look at all processes in the QMS. Over the next three years the certification body will perform ongoing surveillance audits of the system (sometimes called maintenance audits), where they only look at a portion of the system along with critical processes such as the internal audit, management review, and corrective action. The maintenance audits happen, at a minimum, once a year during the period in which the certificate is valid. The cycle will start again after the three-year certification period is over, if the company chooses to maintain the ISO 13485 certification and the benefits it provides. At this time, a recertification audit that reviews the entire system will be done to start the certification cycle again.
For some help in choosing the certification body you want to use for your QMS, see this free List of questions to ask an ISO 13485 certification body.
How do I get ISO 13485 certified?
For individuals, there are training courses that individuals can take to get the ISO 13485 certificate. ISO 13485 courses are necessary to provide the information, knowledge, and skills needed to use the ISO 13485 standard for creating and maintaining a Quality Management System in a company. In addition to implementation, individuals who will be auditing the ISO 13485 QMS will need to learn how to do so, and taking an auditing course can be an important part of this knowledge acquisition. For people who want to develop or advance their career in quality management and auditing, these individual certifications are invaluable.
There are a range of course options for individuals to choose from. Each of these courses differ in their purpose, but upon the completion of the course, the participant will get the certificate:
ISO 13485 Lead Auditor Course – This is a four- to five-day training course focused on understanding the ISO 13485 QMS standard and being able to use it for auditing management systems against these requirements. The course includes a test at the end to verify knowledge and competence, and it is only with an accredited course that an individual can become approved to audit for a certification body.
ISO 13485 Internal Auditor Course – This is commonly a two- or three-day course that is based on the lead auditor course above, but does not include the test for competence, so this is most useful for someone beginning to do internal audits within a company.
ISO 13485 Awareness and Implementation Course – Several courses are offered that provide knowledge of ISO 13485 and how to implement it. These can be one- or two-day courses, and they can even include online e-learning sessions as a method of teaching the material. These courses are good for those who need an overview of the ISO 13485 standard, or those who will be involved in the implementation within a company, and many are more economical than investing in the lead auditor course for those involved at this level.
There are a number of accredited training organizations around the world where you can gain individual qualifications in ISO 13485.
For more information on ISO 13485 training and becoming an ISO 13485 lead auditor, see ISO 13485 training requirements & available courses.
To help you get ready for your certification, see a graphical representation of the implementation process here: Diagram of ISO 13485:2016 Implementation Process.