Preparing for a third-party accreditation audit can be a long and tedious process. Many device manufactures, particularly
smaller firms, simply do not have the time, resources or expertise to assess their entire quality management system to identify
and correct all of the potential barriers to certification success. If time is of the essence, or a dedicated internal resource is not
available, the company may decide to enlist the services of an experienced ISO consultant or quality management certification
expert to liaise with the registration body, also referred to as the registrar.
The certification process is typically divided into five phases. If the company is using the services of an ISO consultant, the
consultant will often handle most—if not all—of the phases on behalf of the company. This can save the company a great deal of
time and accelerate the process significantly.
Phase One: Inquiry—ISO itself does not perform certification audits or issue certificates. These services are performed by
external certification bodies. Choosing a certification body is the first step of the inquiry phase. ISO’s website provides some tips
for selecting a certification body. For example, ISO recommends evaluating several registrars before making a final selection. It’s
important that the registrar you select is competent and provides the scope of the certification (i.e., continent, country or product
The evaluation process typically commences with a fact-finding meeting between the registrar and the company seeking
certification. During this meeting, the registrar will attempt to gather background information about the company and its
certification needs. The company will want to inquire about the registrar’s working philosophy, as well as what to expect during
the certification process.
Phase Two: Application—If the fact-finding meeting goes well, the company will be asked to fill out a certification application
form, which can be obtained online. The registrar will review the completed application form, as well as the information gathered
during the inquiry phase, and provide the company with a quote. Obviously, if the company has chosen to follow ISO’s advice,
it will be requesting and receiving multiple quotes, from multiple registration bodies. Once a registrar has been selected, the
company is ready to advance to phase three.
Phase Three: Documentation Review—At this point in the process, the registrar will begin to assess how the company’s
documented quality processes compare or comply with the standard. During phase three, the company may opt to conduct a
trial audit (often referred to as a pre-assessment) to get a sense of the registrar’s auditing style and to see what quality areas, if
any, are deficient. Although a pre-assessment in not required, it is highly recommended in light of the transition planning and
execution of the ISO 13485:2016 version of the standard.
Phase Four: Final Certification Audit—For certification audits, a Stage 1 and a Stage 2 must be conducted prior to the final
certification audit. The combined duration of the audits must comply with the IAF MD9 guidance document. Section 0.3 of ISO
13485 requires auditors to use a “process approach” auditing style, as opposed to a checklist approach. The process approach
utilizes the plan-do-check-act (PDCA) cycle.
Phase Five: Ongoing Surveillance—Annual or semi-annual surveillance audits should be scheduled with the registrar in order
to monitor progress and correction. These audits should be scheduled well in advance of the company’s anniversary date. A
complete assessment restarts every three years.