ISO 13485 Audits Featured Illustration

ISO 13485:2016 Audit: Overview, Audit Types and Execution

by | Feb 17, 2022 | Audits, Medical Devices

ISO 13485 audit provides an objective measure of the organizations’ processes and regulatory compliance with the latest ISO 13485:2016 standard.

Let us say that you are a medical device manufacturer based in the US. You, therefore, need to be compliant with FDA rules and regulations (especially FDA 21 CFR Part 820). Now, you are broadening your market and wish to sell your best-selling percutaneous catheters in Europe. You will realize that to do so, you need to be compliant with ISO 13485:2016.

ISO 13485:2016 is the latest edition of ISO 13485, which, as we know is the principal international QMS (Quality Management System) standard for medical devices companies. All medical device companies wishing to sell their devices in the European Union (EU) must pass an ISO 13485:2016 audit that is conducted by a Notified Body.

In this article we will take a deeper look at the following:

What Is the ISO 13485:2016 Audit?

An ISO 13485:2016 audit helps determine that the medical device company complies with an international standard acceptable in global regions such as the EU.

All medical device companies that sell their products in the EU must pass an ISO 13485 audit that is conducted by a Notified Body. As a medical device company, you will need to pass the ISO 13485:2016 certification audit and acquire the CE mark before you can sell your products in the EU.

ISO 13485:2016 vs. FDA 21 CFR Part 820

If you are selling your medical device products only in the US, you come under the rules and regulations of the US FDA. You will need to comply with 21 CFR Part 820.

21 CFR Part 820 cites the medical device Quality System Regulations (QSR) for medical device manufacturers. This document covers ‘The design, manufacture, packaging, labeling, storage, installation, and servicing of all finished products that are intended for human use’. This also comprises the facilities and designs applicable to these products.

Please note that 21 CFR Part 820 is a legal necessity and non-compliance can result in citations, recalls, fines, or litigation. You can obtain ISO 13485 certification, but it is not an obligation in the US.

On the other hand, if you are planning to sell your medical devices in the EU, you need to conform to the standards defined by ISO 13485:2016. If you do not get an ISO 13485:2016 audit done, you cannot sell your products in certain international markets.

ISO 13485:2016 Audit Types

Under ISO 13485:2016, you can expect three types of audits:

Internal Audits

As per ISO 13485:2016 requirements, you will perform regular internal audits to appraise conformity, identify areas for improvement, and check the effectiveness of your QMS. Your company needs to have a formal internal audit program in place and meticulously document all policies, protocols, and records of internal audits done.

Let us say that during an internal quality audit, your internal auditor has found that there are some gaps within the QMS (Quality Management System), and because of lapses in the documentation, it does not conform to the ISO 13485 standard.

As a result, you will need to immediately rectify these missing parts.

External Audits

These audits under ISO 13485:2016 standards include:

  • Customer audits
  • Supplier audits
  • Certification audits
  • Recertification audits
  • Surveillance audits

Let’s look at each in more detail.

Under customer audit, a customer (existing or potential) will audit your company to make sure you are meeting their requirements.

For example, if you are selling your percutaneous catheters to a top hospital chain in the EU, they are likely to audit your company before purchasing the product.

Under supplier audit, your company will audit a potential or existing supplier to ensure that quality standards are met.

For instance, you may wish to audit a potential supplier of the materials needed for your percutaneous catheter before going ahead.

A certification audit is conducted by a selected registrar to verify that you are conforming with the ISO 13485:2016 standard before you are issued with the official ISO 13485:2016 certificate.

There are two stages in this process:

  • In stage I the auditor will determine whether your company is ready for the main audit. These can be remotely conducted.
  • Stage II audits are always on-site and the auditor(s) will review all documented information, interview your staff, etc, to verify that your company meets all the required ISO 13485:2016 standards.
ISO 13485 Audit for Certification

Recertification audits are conducted every 3 years by the selected auditor.

Once you are certified, the registrar will periodically check on your company (usually once a year). These are called surveillance audits, and ensure that you are maintaining all QMS (Quality Management System) and ISO requirements.

Once you have the ISO 13485:2016 certification, you can then apply for the Conformitè Europëenne (CE) Mark. The CE mark is the EU’s mandatory conformity marking that regulates all items that are sold within the European Economic Area (EEA) since the year 1985.

The Medical Device Single Audit Program (MDSAP) is another type of certification that some medical device companies prefer. This allows you, the manufacturer, to receive a single audit so that you meet up to five regulatory quality system regulatory requirements, all at one cost. Such an audit is performed by Auditing Organizations (AOs) and is authorized by the Regulatory Authorities.

The advantage is that with a single MDSAP, you are audited for compliance with ISO 13485 and other regulatory necessities.

Unannounced Audits

When Notified Bodies or regulatory authorities in the EU or the US FDA conduct an audit of your medical device company without prior notice, it’s called an unannounced audit.

The frequency of these audits depends on the medical device class and takes place at least once every three years. These rules apply to supplier audits as well.

Let us say that a company’s medical device is found to be substandard on auditing. Although the company has stated that the product is now safe and efficacious, notified bodies will carry out unannounced audits until they are satisfied with the product.

To help you manage your audit documentation such as audit plans, audit findings, audit reports, etc. in an efficient way, you can use an audit management module in a medical device QMS software solution like SimplerQMS. This will help you automate audit tasks and integrate your audits with non-conformance and CAPA management.

How Often is ISO 13485:2016 Auditing Done?

Once the initial certification audits are completed, regular surveillance audits take place once a year to ensure that your company is compliant with ISO 13485:2016.

Recertification audits take place every three years once the initial certification audits are completed.

If you are launching a new medical device in the EU, you will face an initial certification audit, followed by annual surveillance audits, and recertification audits once in three years.

How to Prepare for ISO 13485:2016 Audits?

Let’s imagine that now you are ready to go for ISO 13485:2016 certification since you intend to sell your percutaneous catheters in the EU market.

First of all, you will purchase the ISO 13485:2016 standard and conduct a gap analysis.

The gap analysis will establish whether your QMS meets the required standards or not. The next steps would be to implement a plan of action for achieving compliance with ISO 13485:2016.

Your company will put together a cross-functional team in place for delegating tasks and for taking the necessary actions.

Once the teams and procedures are in place, consider an internal audit or a mock audit to see whether you are ready or not. Once you are ready for ISO certification, go ahead and contact a Notified Body for conducting the audit.

Considering that the COVID-19 pandemic has upended life as we know, you should be ready for remote auditing and follow best practices. This will require the setting up of the right IT systems, video conferencing software, file-sharing platforms, and an eQMS.

Remote Auditing Tools and Technologies

How Are the ISO 13485:2016 Audits Conducted?

The typical steps that a medical devices company takes for ISO 13485:2016 auditing are as follows.

Your company will contact a Notified Body to conduct the audit. The Notified Body will assess you in two stages as mentioned before an off-site document review and the on-site audit.

The off-site review of all your quality documentation will determine whether or not your QMS conforms to all necessary requirements for ISO 13485:2016. The Notified Body not only will check every QMS document, but will also check that all QMS procedures and protocols are in place throughout the lifecycle of the product.

During the on-site auditing, the Notified Body will corroborate your compliance via interviews with employees and factual observations. This is to ensure that your company is following all the quality system processes.

If you want to learn more about audits in the medical device industry, check out our guide on medical device audits.

How to Facilitate ISO 13485:2016 Compliance with QMS Software?

If your company is still going the traditional way and using a manual paper-based process for documenting QMS, you will know that it is both time-consuming and difficult.

An efficient eQMS such as SimplerQMS software allows for automated data collection, routing, notifications, follow-ups, approvals, and much more. You can digitize and automate all documentation processes for DHF, DMR, and DHR with robust design control software.

Cloud-based QMS software allows you to access all the required documentation and present the same to the auditor with only a couple of clicks.

Recommended Reading: ISO 13485 Quality Management System [Role of an eQMS]

Final Thoughts

ISO 13485 certification is necessary for all medical devices companies that wish to target the European market.

For the purposes of auditing, you will require a Notified Body to conduct the same. Once the certification is obtained, you will need to undergo surveillance audits annually and recertification once every three years.

With the help of efficient eQMS such as SimplerQMS, you will be able to automate audit-related activities, as a result, reduce the time and effort needed to successfully pass audits. If you are interested to make audit readiness your competitive advantage by using an eQMS, we recommend booking a personalized demo and talking to our experts.

eQMS Business Case Template

Illustration of eQMS Business Case Template