Good morning all!
Last week, we had our phase-2 audit for ISO 9001:2008, ISO 13485 and
MEDDEV which ended up in the company being recommended for certification.
I simply wanted to thank all of you since I got sooooo much information and answers to my questions from this website! This is truly one of the best website (if not THE best) for information, all categories considered!
Thanks again!
P.S. If I can ask one other question: at which point can we officially say that the company is certified? When we get the actual certificate?
Well I can only speak for SGS's approach.
First of all, I think you mean MDD, not MEDDEV.
The onsite auditor can only make a recommendation. That's really important, because you aren't certified for anything at this time, which I think you realise.
For North American clients we have an initial Houston office review, which is just a basic administration check that all the key elements of the submission pack are in place.
We then upload all the documentation onto our (rather impressive) electronic document management system and it can be immediately viewed online by our UK office. The UK is the registrar for ISO9001:2000/2008 (UKAS), ISO13485:2003 (UKAS), ISO13485:2003 (SCC) and is the Notified Body.
(We used to have our CMDCAS-accredited office in Toronto, but moved it to the UK so everything was in one place).
The UK admin team again does a very brief review to ensure that all the key elements are there. The pack is then made available to the medical devices certification team for a detailed review. If everything is okay, the pack then passes to a member of the certification management team for a sign-off. (The pack can still get bounced even at that final stage)
For an initial audit there is a
lot that can go wrong. Some of these things will just be corrected by the certification team under their own authority, some will get bounced back to the auditor for correction.
In a few cases, the auditor will need to get additional information from the client.
In extremely rare cases, a re-audit will be required. (I can't remember the last time that happened.)
That sounds like a lot of reviews (it is), and that the whole process is very bureaucratic and takes a lot of time (actually no, because of the electronic access to all documents, and automated notifications).
The quick admin reviews are just a few minutes. The detailed certification review of an initial audit pack can easily take an hour, sometimes much more. There's generally a lot of information to go through, especially if there are multiple approvals to be made.
SGS always prioritizes the review of initial and recertification audits (the review of surveillance audit packs are thus given lower-priority), typically we would expect to complete the review within a week, two at the outside.
We would generally communicate confirmation of successful certification at that time, especially if we are made aware of special urgency.
It's from that point that you can claim certification.
The certificates themselves are generated locally and would typically be received within a few days from then.
[Edit: Most people will wait the extra couple of days for their certs to arrive, but sometimes people have particular urgency, which we would try to accommodate].
So to answer your original question,
if all goes well, we like to say about a month after the audit before you receive your certificates. And that's about right, because in practice if there are no issues you will receive your certs within a couple of weeks, but there are often minor issues to resolve which can push things back a week or two.
One final point is that it's possible to pass one part of the audit, and yet fail at another. You may have an "internationally-acceptable" ISO13485:2003 system, but be missing a key element of the MDD requirements for example.
So if, in that example, you needed the ISO13485 registration urgently, you could go ahead with that certification, but be forced to wait for EC certification until whatever deficiences in your MDD compliance were addressed.
Hope that helps!
