When it comes to medical devices, compliance isn’t based on the honor system. Depending on where you intend to sell your device, you’ll undergo an ISO audit or inspection of your company’s quality management system (QMS) to ensure that your company is developing and manufacturing safe and effective medical devices.
In order to sell your medical device in markets around the world like Europe or Canada, you’ll need to comply with ISO 13485:2016, the international standard for medical device quality management systems, in order to obtain ISO certification. The way in which you receive this certification is by passing an ISO audit.
Here’s what you need to know about ISO audits and how you can navigate these important regulatory events for conformity to the standards applicable to your product:
ISO stands for International Organization of Standardization, an independent, non-governmental organization that issues standards designed to facilitate global commerce and keep consumers safe.
An ISO audit is simply an on-site verification by an auditor that the processes and procedures you have in place conform to ISO standards. Passing an ISO audit is a stamp of approval—it shows regulators, healthcare providers, and patients that your claims about product quality can be independently verified by a third party.
ISO audits are performed by auditors from a notified body—an independent organization that has been established to assess the conformity of a medical device to applicable standards and requirements before it can be placed on a given market.
It’s important to note that these audits are not conducted by regulatory bodies, such as the Food and Drug Administration (FDA) in the US. Though ISO certification is necessary to sell your device in many markets, it is still technically a voluntary standard.
If you want to sell your medical device in both the US and the EU for instance, your QMS will need to conform to ISO 13485:2016 and meet FDA’s quality system regulations, 21 CFR Part 820. There is plenty of overlap between the two, but it’s essential you understand who is auditing your company and how to meet their unique expectations during an ISO audit and/or FDA inspection.
There are many ISO standards used in the medical device industry, including but not limited to:
ISO 13485 - the standard for quality management systems.
ISO 14971 - the standard for the application of risk management to medical devices
ISO 62304 - the standard for software that is used in medical devices
ISO 15223 - the standard for symbols used on medical device labels, labelling, and information supplied by the manufacturer
ISO 11607 - the standard for sterilized packaging of medical devices
While all the standards regarding medical devices are important, the two most critical to the success of your device and the health and welfare of its end users are ISO 13485 and ISO 14971, the international risk management standard for medical devices.
These two standards are closely related, and the 2016 version of ISO 13485 specifically references risk management and emphasizes a risk-based approach to quality management.
You should expect your ISO audit to include four main steps:
An off-site review. This may be conducted prior to the on-site audit of your quality system and processes, and is used to ensure that your company is ready for the on-site audit.
Physical verification of conformity. Finally, auditors will verify conformity with these processes through interviews with key stakeholders and observation of your facility. Be prepared for them to look around the site and interview employees to determine whether your company is compliant or simply paying lip service to quality.
The ISO certification audit ensures compliance with all the elements of a given standard—in this case, ISO 13485:2016.
This is the audit you must pass in order to obtain your ISO certification and sell your product in markets which require compliance with ISO 13485:2016. The certification expires after three years and your company must be recertified at that time.
An ISO surveillance audit is a formal review that takes place between certifications. Surveillance audits happen at least once a year, but may occur twice a year.
ISO auditors are generally focused on whether your company is still meeting the necessary ISO requirements and upholding applicable QMS standards. They will also touch on any issues observed in previous ISO audits as a means of ensuring your company has taken the proper steps to correct them.
As soon as you think you want to sell a medical device in Europe, Canada, or any other market that requires ISO certification, you should get your copy of the ISO 13485:2016 standard and conduct a gap analysis to understand where the gaps exist between your current QMS procedures and the applicable ISO 13485:2016 requirements.
However, there are also two internal activities that ISO 13485:2016 requires you carry out regularly: internal audits and management reviews. Done correctly, they will provide invaluable preparation for an external ISO audit.
Internal audits are chances for your company to monitor and ensure the effectiveness of all your quality management processes. Each process—like those involved in design controls, for instance—must be audited at least once a year according to a documented schedule.
Remember, internal audits are not optional. They are mandated by ISO, and it’s a good idea to perform them throughout the year, rather than waiting until the end of the year and treating them as a checkbox activity.
Internal audits are only an effective method of preparation if they are taken seriously. An internal audit checklist helps ensure that your internal audits are comprehensive and thorough without becoming an untenable burden to everyone within the company.
You can start by breaking your checklist into sections, such as design and development, management, and purchasing controls, and then auditing the various processes within each section.
You can also take advantage of downloading the free ISO 13485:2016 audit checklist from Greenlight Guru.
Management reviews focus on the bigger picture as opposed to internal audits, which are focused on individual processes. The purpose of a management review is to ensure that executive management is involved in evaluating key processes and operations involved within the company’s quality management system.
While management reviews are required once per year, it’s a good idea to do them at least twice a year in preparation for external ISO audits as well as for internal accountability and process improvements.
Passing an ISO audit is about more than just compliance. It’s about a proactive focus on True Quality within your entire company. Unfortunately, paper-based, legacy QMS tools make it extremely difficult to keep the focus on quality. Too often, managing the myriad documents and spreadsheets using general-purpose tools eats up time and energy that could have been spent elsewhere.
That’s why Greenlight Guru built our eQMS platform specifically for medical device companies to simplify these historically complex processes. Our cloud-based software comes out-of-the-box with the only risk management solution that aligns with ISO 14971:2019, ISO 13485:2016, and FDA QSR best practices built into every feature.
Greenlight Guru Audit Management Software
Additionally, our eQMS comes with a dedicated Audit Management workspace that allows teams to demonstrate full traceability and auditability throughout the system.
Head into your next ISO audit with confidence by getting your free demo of Greenlight Guru today.
Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software
Sara Adams is a Medical Device Guru at Greenlight Guru and a Certified ISO 13485 Lead Auditor who began her career in the medical device industry in the post-manufacturing world. As an experienced Quality Engineer, she has been responsible for leading Corrective and Preventive Action (CAPA) investigations and...