ISO 13485 contains requirements that are beneficial for various types of organizations operating as part of medical device and pharmaceutical supply chains. It's especially vital for organizations that manufacture medical devices or provide services that support medical device manufacturers. Some examples of organizations that use this standard include:

• Medical device manufacturers, including makers of sterile and surgical medical devices
• Companies that provide products, components, or raw materials to medical device manufacturers
• Quality management organisations that work with medical device manufacturers
• Organisations that provide services to manufacturers of medical device

Certification to ISO 13485 is typically voluntary, although some countries require certain medical device manufacturers to comply with ISO 13485. In Canada, for example, class I, II and III medical device manufacturers are required to achieve ISO 13485 certification. Japan and Europe, on the other hand, offer alternative national standards. In many countries, the regulatory standards for medical devices are based on ISO 13485.

Step 1: Obtain the Documents and Study the Requirement

Once you've determined that ISO 13485 is the right standard for your organization, take some time to learn about its requirements. Start by obtaining a copy of the standard itself, along with any supporting documents. You'll need to refer to these documents when creating your implementation plan, and the auditor will refer to them when assessing your QMS. 

Make sure you have the most recent version of the standard, as the update contains several important changes. For example, the latest version requires organizations to ensure that all the organizations with which it contracts comply with ISO 13485 requirements. Once you have the correct documents, look through them and learn about the requirements of the ISO 13485 standard. Getting familiar with these requirements will help the implementation process go more smoothly.

Step 2: Conduct A Gap Analysis

One of the most important steps when implementing ISO 13485 is performing a gap analysis. To conduct a gap analysis, or pre-audit, you asses your company's existing processes and compare them to the requirements of the standard you're seeking certification to. Doing so will reveal the gaps between your company's current system and the system you will need to establish to reach compliance.

The information you gather when performing your gap analysis will inform your ISO 13485 implementation plan. If the gaps you find are wider, reaching compliance will require more extensive changes. If they are smaller, the changes you have to make will be relatively minimal.

When performing a gap analysis, you will typically:

• Compare the requirements of ISO 13485 to your current QMS
• Document how your current system complies and does not comply with ISO 13485 requirements
• Based on the results of your gap analysis, determine what to include in your implementation plan

Once you complete a gap analysis, you typically produce a report that includes:

• The areas in which your company meets the standard's requirements
• The areas in which your company is not complying with the standard's requirements
• Recommendations of what to include in your implementation plan

Step 3: Develop an Implementation Plan

he next step is to start creating a plan to address the gaps you discovered through your gap analysis. This plan will lay out how you will implement ISO 13485 and should include clearly defined, quantifiable objectives with realistic deadlines.

Developing your plan will include designing your quality manual and policy, which involves examining your current processes and updating them as necessary to meet the standard's requirements. You will also need to establish methods for controlling the processes you create, including documentation.

Under the requirements of ISO 13485, there are certain procedures that must be part of your QMS. Note which items ISO 13485 focuses on and ensure they're part of your plan while keeping the unique needs of your organization in mind.

Part of developing your plan is defining its scope, as this will help you see what you need to do and what the boundaries of your implementation are. Properly defining your scope will help you avoid applying your QMS to parts of your business that don't relate to quality while also avoiding applying it too narrowly, which can limit its effectiveness. Your quality policy and manual will help you in defining your scope.

When creating your implementation plan, you should include details about each task you must complete to reach full compliance with ISO 13485. For every task, write down the relevant section of ISO 13485, who is responsible, the necessary documentation, the required approvals, the training required, the necessary resources and the expected completion date.

Your implementation plan should also include information about the costs of ISO 13485 certification and implementation. Also, include information about its benefits and the business case for ISO 13485 certification. This information will help you to account for the costs involved in implementation and certification and get buy-in from managers and employees across your organization.

Step 4: Design the Documentation

To effectively implement ISO 13485, you need to use documentation to control your processes. After you have created or modified the necessary processes, you will need to develop documentation for them. This documentation will help you to prove your compliance and will help guide your processes. You have some flexibility in how you design your documentation, and you don't necessarily have to document every process, but you need to ensure your documentation meets all ISO 13485 requirements.

It's often best to begin with the minimum requirements under ISO 13485, which include a quality manual and various documented procedures, and add further documentation as needed. Be sure to include all documentation requirements in your implementation plan.

Step 5: Provide Training

Another essential step to ISO 13485 implementation is providing the necessary employee training. Make sure all employees are aware that your organization is going to implement ISO 13485 far enough in advance that they can adequately prepare with minimal disruption to their daily work. Provide information to employees about how the implementation process will affect them, what their responsibilities are and how implementation will benefit them. Remembering to include information about the benefits can help to win buy-in.

All team members who will be part of the implementation process should receive the necessary training. Ensure employees have sufficient time to complete training and clear up any questions they may have before they need to take action to enable the implementation.

Step 6: Carry Out Your Plan

Next, you can start implementing your plan as you designed it. Of course, implementing ISO 13485 will look different for each company depending on its existing processes and the details of its implementation plan. Monitor the implementation process carefully, and if issues arise, make changes as needed. Just be sure to document all the changes and inform the relevant employees of any adjustments. Operate your quality management system for several months, adjusting as needed and documenting the process thoroughly.

Step 7: Perform Internal Audits and Reviews

Before you can undergo the third-party audits needed for certification, you must conduct internal audits and a management review. These processes will help you evaluate how your system is working and ensure it complies with the requirements within ISO 13485.

To conduct internal audits, create an internal ISO 13485 audit checklist and use it to thoroughly examine how your QMS is operating. Be sure to carefully document your findings. This documentation will provide evidence that your processes are working correctly and meeting the necessary requirements. 

You also need to conduct a management review. During this review, management should evaluate data from your QMS processes and check that these processes have the resources they need to remain effective and continually improve.

Conducting these audits and reviews will help reveal areas in which your processes are not working adequately. You can then make changes to correct these issues before scheduling audits with a third-party certification body.

Step 8: Select A Certification Body

When you have completed the required audits and reviews and you believe your QMS is ready, you can start researching what third-party certification bodies you can work with. Explore the qualifications and experience of each option and choose one that has the necessary accreditations, experience with ISO 13485 and other medical device standards and strives to help you enhance your organization's processes through the audit. Selecting an auditor with the right characteristics can help the certification process go smoothly and maximize the value you get out of the audits.

Step 9: Complete the Third-Party Audit and Certification Process

Once you've selected the auditor you want to work with, you can begin undergoing third-party audits. Through the audit process, the certification body verifies that you meet the requirements of ISO 13485. If you pass the audits, you will become certified to ISO 13485.

To get started, fill out an application with the auditor you selected and give them information about your organization, the standard you're aiming to be certified to and other relevant details about your implementation process. At Aequalis, we have a quick quote form and a formal quote request form you can use to submit your application. With the information you provide us with, we define the scope of the audits and put together a certification proposal.

Once you agree to the proposal, you can get started with the assessment phase, provided that you have operated your QMS for at least three months and have completed a full cycle of internal audits as well as a management review. The initial certification audit includes two visits from an auditor.

During the first visit, the auditor will conduct the stage one assessment, which verifies that your organization is ready for the full assessment. The stage one assessment includes a documentation review held at your management system centre.

During this first assessment, the auditor will:

• Confirm that the details your organization submitted in its application process are accurate
• Verify that your QMS meets the requirements of ISO 13485
• Check that your QMS has been running for at least three months
• Confirm the scope of your certification
• Verify legislative compliance

At the end of this assessment, the auditor will provide you with a report that describes any non-compliance or potential improvements found during the visit. If significant issues are found, you must create a corrective action plan. If your QMS passes the audit, you can schedule your next assessment visit.

During the next visit, the auditor will complete the stage two audit, which verifies whether your QMS meets the full requirements of ISO 13458. This audit includes all of the locations that fall under the scope of your certification.

When completing this assessment, the auditor will do the following:

• Document whether your QMS complies with the requirements of ISO 13485 using objective evidence
• Take sample audits of the relevant processes and activities
• Visit any remote sites and other additional locations to assess how the QMS operates off-site
• Document any areas of non-compliance and potential improvements

If the audit reveals any substantial non-conformances, your organization will need to take corrective action, which an auditor must verify, before issuing the certification. If the necessary corrective action doesn't occur within six months, you'll need to complete another stage two assessment before you can receive certification.

If you pass the stage two audit, the certification body will issue a certification that is valid for three years.

Step 10: Maintain Your Certification

To maintain your certification during the three-year certification cycle, you must complete an annual surveillance audit. A surveillance audit is a partial audit that verifies your organization is maintaining compliance with the standard and making continual improvements to the QMS.

If your business changes during the certification cycle, such as by increasing or decreasing staff size or adding or removing locations, inform your certification body as soon as you can. This means that we can look at your risk to your company, legislation and scope before your next audit.