To be blunt, if your company has put off doing anything about ISO 13485:2016, you need to act immediately.
We’re in the window where there is less than a year until you need to be ISO 13485:2016 certified. There is no extension. ISO won’t accept any excuses - this has been published for at least two years now.
I know you’re busy and there’s a lot going on, but I’ve heard some anecdotal evidence to suggest that perhaps as little as only 2 percent of US medical device companies have their certification done already. This came from an auditor at one of the largest notified bodies. That implies that a lot of companies are in the same position - they might be ISO certified right now, but they haven’t made the switch to get updated.
If your company is only just waking up to the need to get going on ISO 13485:2016, then you’re probably going to have to get in line. It may be too late to meet the deadline on time, depending on what you have left to do...
ISO 13485:2016 timeline
March 31, 2019 - this is the date by which all companies that are currently 13485 certified need to have transitioned to the 2016 regulations. The clock is ticking now!
I’ve heard that it’s easily 90 days, and in some cases 120 days to have a scheduled ISO audit right now. Take that four months off what you have left until the deadline, and you have a mere few months to get ready. I suggest you treat this like a project and create a set of deliverables across that timeline.
To give an overview (some of which I’ll go further into), here is what you might be looking at in terms of time:
1 - 4 months registrar queue
1 - 2 months GAP analysis (Download our Checklist Here .)
1- 3 months to review processes and get them up to speed
30 - 60 days for stage one audit
60 - 90 days for stage two audit
This is 10 months at a minimum to get through - you need to act now!
First of all, you’re going to need to conduct a GAP analysis. There are changes you will need to make with your quality system in order to transition to the 2016 requirement. Your registrar will ask to see this analysis as they like to use it as a guide. You can either do it yourself or hire a consultant to do it for you.
You should treat a GAP analysis as an internal audit and look holistically at your overall quality management system. With an aggressive timeline, you might get through it in six weeks, but realistically, a small company will need a couple of months. The only way you might do it quicker is if you are willing to devote full time resources to getting the analysis done. One to two months is a very aggressive timeline.
After your GAP analysis, you will have actions that you need to take. For example, risk is a huge component of 13485:2016, with the term “risk based” being applied to many sections. This includes things like dealing with complaints taking a risk-based approach. You’ll be touching at least 50 percent to 75 percent of your QMS in some way, with some changes being more substantial than others.
Most changes will be relatively minor, but some will take a lot more to revise, involving several stakeholders in your company. Regardless of the nature of the change, it takes time to redo procedures. I would estimate around one month for minor changes and around three to five months for more substantial changes.
Now we’re building a picture - if you’ve taken around two months to get through your GAP analysis, then another three or more months to revise procedures, followed by a four month wait for audit, then you can see your timeline is very tight as of right now. I would suggest that you talk to your registrar now and find out exactly what they require to go through the certification process with you. At the very least, you need to be in their queue!
Once booked, you go through your stage one audit, and if additional changes need to be made, you have to do this ahead of stage two. Keep in mind that you need enough time to make any changes. At stage one, they’re looking to ensure you have compliant procedures, while at stage two, they want to see evidence of you actually following your processes.
Another key thing among all of this is training. This is HUGE. You’re touching up to 75 percent of your quality system, and with lots of moving pieces, need to be able to train team members on the changes. Add some more time to the little that you have for this…
What if you’re not certified on time?
If you don’t get certified on time, then you fall outside of the scope of ISO - you are no longer current. This means you might have to exit the EU market as your quality system is no longer compliant with their requirements. This will potentially be a huge impact on revenue.
In another twist, Canada is requiring ISO 13485:2016 and the Medical Device Single Audit Program by January 2019 - this adds another couple of months to your timeline if you’re entering the Canadian market. If you don’t do it, you’re exiting that market until those are addressed, and losing revenue over the time that you’re out.
That’s the bottom line really - for some companies, loss of revenue from the EU and Canadian markets would have a severe impact.
What should you do now?
Don’t panic; however, take action immediately.
Contact your registrar, start on GAP analysis and updating your QMS. Greenlight Guru can help through resources and by guiding you through the system. One of the key things provided is traceability, which is now mandated by ISO 13485:2016. Our workflows help you to manage and streamline processes, and work to a tight timeline. With alternatives such as paper-based systems, you won’t have the means to be scaleable or monitor all the parts of your QMS so closely.
Our clients have used our QMS software to get through ISO 13485:2016 already:
"We adopted Greenlight Guru 18 months ago to build our QMS. We recently passed our ISO 13485 Stage 2 audit, due in part to the ability to demonstrate a comprehensive matrix of risk and design controls. Demonstrating our QMS using a tool like GG was fundamental in this achievement. I'll also say that the team at GG has been a phenomenal resource and support for us. I never feel like I'm weeding through the quagmire of compliance alone, they are part of our team." - Linda Cox, SVP QA/RA, beneSol
If you have questions about where to start, or would like a demo, contact us here.