Quality Management Systems for Drugs and Devices
21
six months). Internal audits are good practice for the
external audits to ensure everyone onsite is ready, has a
chance to explain their personal involvement, emphasize
the business value of audits, give advice on interview
behavior and arrange logistical audit support. The Stage
2 assessment is a multi-day, on-site audit of the full
system scope to evaluate QMS implementation and
effectiveness and to examine evidence of conformity
to requirements. The certification body will audit links
between requirements, policies, objectives, responsibili-
ties, competence, procedures and performance.
The next steps for organizations seeking certifi-
cation, following the Stage 1 and 2 audits, are to take
corrective action if any nonconformities arise, receive
the certificate and then maintain and improve the
system. The corrective action plan submitted to the
certification body should address root cause(s) of all
nonconformities, and the organization must await
approval of corrective action(s) from the certification
body. The audit team only recommends certification (or
not) but does not grant the certificate. The certificate
is provided after the certification body’s headquarters
reviews the team’s audit report and makes the final
decision. After the final decision, it is time to notify
customers, suppliers and other interested parties of
successful certification. Some implementation team
members may deserve special recognition for their
efforts. The certification body guidelines should be fol-
lowed on the use of the certification mark to publicize
ISO 13485 certification.
Receiving the certificate is not the end of the quality
process it is an important and valuable milestone. The
system must be maintained and improved continually. The
company has embarked on an ongoing process of opti-
mizing the business outcomes across the organization.
ISO 13485 Audits by a Certification Body
Just like the organizations they certify certification
bodies have their own management systems. These
systems are assessed and accredited by the accredita-
tion body in the country in which the body is based
(e.g., UKAS and SCC), who are members of the
International Accreditation Forum (www.iaf.nu). The
general requirements for bodies certifying management
systems are given in ISO/IEC 17021:2011 Conformity
Assessment—Requirements for Bodies Providing Audit and
Certification of Management Systems. This section focuses
on ISO 17021 Clause 9, which applies to audit process
requirements.
The standard states the audit program should
include a two-stage initial audit, surveillance audits in the
first and second years and a recertification audit in the
third year prior to certificate expiration (Figure 1-9).
The three-year cycle begins with a certification or
recertification decision. A plan must be established and
documented for each audit identified in the program
along with objectives, scope and criteria (Table 1-6).
The audit plan, which is communicated to the
client in advance, includes at minimum the audit’s
objectives, scope and criteria as well as the audit’s dates,
duration and the audit team’s roles and responsibilities.
Audit team selection will be based on the auditor’s
competence to achieve the audit’s objectives, certifica-
tion requirements (e.g., the applicable medical device
regulatory background), language requirements and
impartiality. The audit team also may be supplemented
by technical experts, translators and interpreters.
Figure 1-9. ISO 17021 QMS Certification Cycle
Year 3
• Re-certification
Year 2
• Surveillance
Year 1
• Surveillance
Year 0
• Stage 1
• Stage 2
21
six months). Internal audits are good practice for the
external audits to ensure everyone onsite is ready, has a
chance to explain their personal involvement, emphasize
the business value of audits, give advice on interview
behavior and arrange logistical audit support. The Stage
2 assessment is a multi-day, on-site audit of the full
system scope to evaluate QMS implementation and
effectiveness and to examine evidence of conformity
to requirements. The certification body will audit links
between requirements, policies, objectives, responsibili-
ties, competence, procedures and performance.
The next steps for organizations seeking certifi-
cation, following the Stage 1 and 2 audits, are to take
corrective action if any nonconformities arise, receive
the certificate and then maintain and improve the
system. The corrective action plan submitted to the
certification body should address root cause(s) of all
nonconformities, and the organization must await
approval of corrective action(s) from the certification
body. The audit team only recommends certification (or
not) but does not grant the certificate. The certificate
is provided after the certification body’s headquarters
reviews the team’s audit report and makes the final
decision. After the final decision, it is time to notify
customers, suppliers and other interested parties of
successful certification. Some implementation team
members may deserve special recognition for their
efforts. The certification body guidelines should be fol-
lowed on the use of the certification mark to publicize
ISO 13485 certification.
Receiving the certificate is not the end of the quality
process it is an important and valuable milestone. The
system must be maintained and improved continually. The
company has embarked on an ongoing process of opti-
mizing the business outcomes across the organization.
ISO 13485 Audits by a Certification Body
Just like the organizations they certify certification
bodies have their own management systems. These
systems are assessed and accredited by the accredita-
tion body in the country in which the body is based
(e.g., UKAS and SCC), who are members of the
International Accreditation Forum (www.iaf.nu). The
general requirements for bodies certifying management
systems are given in ISO/IEC 17021:2011 Conformity
Assessment—Requirements for Bodies Providing Audit and
Certification of Management Systems. This section focuses
on ISO 17021 Clause 9, which applies to audit process
requirements.
The standard states the audit program should
include a two-stage initial audit, surveillance audits in the
first and second years and a recertification audit in the
third year prior to certificate expiration (Figure 1-9).
The three-year cycle begins with a certification or
recertification decision. A plan must be established and
documented for each audit identified in the program
along with objectives, scope and criteria (Table 1-6).
The audit plan, which is communicated to the
client in advance, includes at minimum the audit’s
objectives, scope and criteria as well as the audit’s dates,
duration and the audit team’s roles and responsibilities.
Audit team selection will be based on the auditor’s
competence to achieve the audit’s objectives, certifica-
tion requirements (e.g., the applicable medical device
regulatory background), language requirements and
impartiality. The audit team also may be supplemented
by technical experts, translators and interpreters.
Figure 1-9. ISO 17021 QMS Certification Cycle
Year 3
• Re-certification
Year 2
• Surveillance
Year 1
• Surveillance
Year 0
• Stage 1
• Stage 2