How To Prepare For Your First ISO Audit
Overview of ISO 13485:2016
ISO 13485:2016 is the industry standard for quality management systems for medical devices. Medical device specification developers, manufacturers, and distributors seek certification to ISO 13485:2016 for many reasons. Whether your organization is seeking ISO 13485:2016 certification as a pathway to improve your quality management system (QMS), a method for demonstrating your commitment to quality to your customers, or as a customer-imposed requirement for a business relationship, Rook Quality Systems can help equip your organization with the tools necessary to obtain this industry-recognized certification.
What To Expect For Your First ISO 13485:2016 Audit
After you have selected an accredited registrar which will perform your audits and issue your certification upon the successful completion of these audits, your next step is to prepare for the audit itself. Initial certification audits are split into two halves – Stage 1 and Stage 2.
Stage 1 audits focus on the higher-level view of the QMS, including procedure reviews, QMS scope reviews, established controls, and any applicable regulatory requirements. The purpose of the Stage 1 audit is to assess an organization’s readiness for the Stage 2 audit. Auditors will provide a list of observations and nonconformances which will need to be addressed via CAPAs prior to the Stage 2 audit.
Stage 2 audits are more intensive and include a review of all evidence which demonstrates the conformity of the QMS, diving into the processes evaluated in the Stage 1 audit into greater detail, including a review of records.
An audit of the production process during Stage 1 may involve a review of the production procedure, establishing the scope of production activities, and ensuring there are production controls in place. Auditors will expect clear evidence that processes have been established in accordance with regulatory requirements and the ISO 13485:2016 standard.
During the Stage 2 audit, the auditor will review production records including batch records, equipment calibration and maintenance records, monitoring and measurement activities records, and acceptance records. Audits will expect clear evidence in the form of records which demonstrates your conformity during the Stage 2 audit.
How Can I Start Preparing For An ISO Audit?
Ensure that your QMS is documented and addresses every applicable clause within ISO 13485:2016
Your organization’s Quality Manual should explicitly state which clauses are non-applicable, outsourced, or excluded from the QMS. Rook Quality Systems also recommends having an appendix within your Quality Manual which traces your procedures to the ISO 13485:2016 clauses. Here’s a brief example:
| Procedure | ISO 13485:2016 Clause | 21 CFR Part 820 |
| SOP-1 Document Controls | 4.4 | 820.40 |
| SOP-2 Design Controls | 7.3 | 820.30 |
This table will act as a roadmap which will guide auditors (both internal and external) to the correct procedures when auditing a particular clause. This table can also be reviewed to ensure all clauses are addressed by the QMS.
Establish a Quality Plan
Establishing a quality plan is a great method for ensuring appropriate regulatory requirements and standards are addressed by the QMS, appropriate resources necessary for quality are allocated, and identifying the scope of the organization and product(s). QMS planning is a requirement of Clause 5.4 within ISO 13485:2016. Developing a Quality Plan document is the easiest way to demonstrate conformance to this requirement and will make the scope of the QMS more apparent to the auditor, leading to a smoother audit.
Perform an Internal Audit
Having an internal audit performed prior to your Stage 1 audit is extremely valuable. This will allow your organization to identify deficiencies within the QMS so that they can be resolved prior to the audit, allowing for a smoother audit.
At the very minimum, your organization should have an internal audit plan established prior to the Stage 1 audit. It is important to note that internal audit records will be reviewed during your Stage 2 audit.
Perform a Management Review
Similarly, performing a management review prior to your Stage 1 audit is also extremely valuable. This will allow your management team to ensure that your organization’s QMS has established an appropriate scope, quality policy, quality objectives, resources, and identified applicable regulatory requirements. As all of these are within the scope of the Stage 1 audit, verifying these items can ensure there are no high-level gaps prior to your Stage 1 audit.
At the very minimum, your organization should have a management review plan which includes a planned date, as well as an agenda which includes the inputs and outputs listed in Clause 5.6 of ISO 13485:2016. It is important to note that management review records will be reviewed during your Stage 2 audit.
Ensure Appropriate Records are Present
While the Stage 1 audit is less record-intensive than the Stage 2 audit, your organization should still have some record evidence. For example, the auditor will want to review the records for the document approval for your organization’s QMS procedures.
Additionally, your organization should have some design and development records in place. Since ISO certificates include the product(s) offered by the organization within the scope of the certification, the Stage 1 audit will want to confirm the product(s) planned for market matches the product(s) identified within the scope that your organization provided to your registrar. This will be critical for the auditor in preparing for the design and development review during the Stage 2 audit.
Compile your Documentation
Whether your organization’s QMS is paper-based or electronic-based, it is critical to compile and review all your documentation prior to any audit. This will allow you to ensure that all the appropriate documentation is present prior to the audit. Organizing this documentation in accordance with the registrar-provided audit schedule will ensure a seamless audit for both the auditor and the auditee. Spending a majority of the audit trying to locate documents is not an optimal experience for either party.
Final Thoughts
By documenting your QMS, establishing a quality plan, performing internal audits and management reviews, and compiling all appropriate documentation (including records for the Stage 2 audit), your organization can ensure that they are prepared for their first ISO 13485:2016 audit.
If your organization needs guidance in preparing for their first audit, whether it be in the form of an outsourced internal audit, a documentation review, general consulting, or on-site assistance during your first audit, Rook’s team of quality consultants is prepared to assist you.RookQS has a decade-long track record of successfully assisting clients with obtaining ISO 13485:2016 certification. Look to Rook to learn more.