Description of the QM system certification procedure

EN ISO 13485 and /or MD-Directives

The certification of a management system based on the standard EN ISO 13485, as well as the
conformity assessment procedure for management systems according to EC directives for medical
devices, consists of the offer and contract phase, the audit preparation, performance of the Stage 1
audit with evaluation of the management documentation, performance of the Stage 2 audit, issue of
certificate and surveillance/recertification.

The auditors are selected by the Head of the Certification Body for Medical Devices of TÜV NORD
CERT GmbH in accordance with their approvals for the particular sector and their qualification.

1. Certification procedure

1.1 Audit preparation

Following signing of the contract, the auditor prepares for the audit on the basis of his contract
appointment and the relevant customer documentation and discusses and agrees the further
procedure with the organisation to be audited.

During preparation for the surveillance or recertification audit, the organisations to be audited have the
duty to report fundamental changes in their organisational structure or changes in procedure to the
Certification Body.

Special conditions only for MDD procedures:

In the area of EC directive procedures (CE conformity assessment procedures), type, scope and place
for a review of the technical product documentation and / or design dossiers must be agreed with the
customer. These can be sent in or evaluated by means of the Stage 1 audit. Time for review is
excluded from stage 1 audit schedule. The review result will have an impact on the certification
decision.

1.2 Audit Stage 1

The Stage 1 audit is conducted in order to

 audit the management system documentation of the customer,

 assess the site and site-specific conditions of the customer and hold discussions with the
personnel of the organisation in order to determine the degree of preparedness for the Stage 2
audit,
 assess the status of the customer and his understanding of the requirements of the standards,
particular with regard to identification of key performance or significant aspects, processes,
objectives and operation of the management system,
 to collect necessary information regarding the scope of the management system, the
processes and location(s) of the customer, and related statutory and regulatory aspects and
compliance (e.g. quality, environmental, legal aspects of the customer's operation, associated
risks, etc.),
 review the allocation of resources for stage 2 audit and agree with the customer on the details
of the stage 2 audit,
 evaluate if the internal audits and management review are being planned and performed, and
that the level of implementation of the management system substantiates that the customer is
ready for the stage 2 audit.

Description of certification procedure_Decription of the QM-Certification Page 1 of 5

procedure _13485_MDD_E.DOC01.10 Rev.0
 Description of the QM system certification procedure
EN ISO 13485 and /or MD-Directives

If nonconformities were identified in the stage 1 audit, these must be corrected by the customer before
the stage 2 audit.

If at the end it cannot be established positively that the customer is ready for the Stage 2 Audit, the
audit is broken off after the Stage 1 Audit.

The lead auditor is responsible for the co-ordination of the activities of the stage 1 audit and if
necessary for co-ordination and co-operation of the auditors concerned amongst themselves.

1.3 Certification audit (Stage 2 audit)

The customer receives an audit plan at the beginning of the stage 2 audit. The plan is agreed with the
customer in advance.

The audit begins with a start-up meeting, in which the participants are introduced to each other. The
procedure to be followed in the audit is explained. Within the framework of the audit at the
organisation's premises, the auditors review and assess the effectiveness of the introduced
management system according to the applicable standard as applied for and the module of the EC
directive.

The task of the auditors is to compare the practical application of the management system with the
documented processes and to assess them in relation to fulfilment of the requirements of the
standard. This is achieved by means of questioning of the employees, examining the relevant
documents, records, orders and guidelines and also by visiting relevant areas of the organisation.

A final meeting takes place at the end of the onsite audit. At least those employees take part in the
audit who have management functions within the organisation and whose areas were included in the
audit. The lead auditor reports on the individual elements and explains the positive and negative
results. In the case of any nonconformities found, the leading auditor can only recommend that the
company be granted a certificate after corrective measures have been accepted or verified by the
audit team. For the documents to be submitted subsequently, periods must be complied with as
indicated by the auditor. In case the corrective measures cannot be verified on site, the auditor may
recommend a re-audit.

The audit is documented in the audit report (the documentation must be separate for stage 1 and
stage 2 audits) and is completed by means of further records (e.g. audit questionnaire and hand-
written records).

1.4 Issue of certificate

The certificate is issued when the certification procedure has been reviewed and released by the head
of the Certification Body or his deputy or nominated representative. The person who reviews and
releases the procedure may not have participated in the audit.

The certificate can only be issued when the nonconformities have been eliminated i.e. the corrective
measures have been accepted or verified by the audit team.

The certificates are valid for 3 years. On request and especially for MDD-certifications 5 years validity
can be issued.

Description of certification procedure_Decription of the QM-Certification Page 2 of 5

procedure _13485_MDD_E.DOC01.10 Rev.0
 Description of the QM system certification procedure
EN ISO 13485 and /or MD-Directives

2. Surveillance audit

Surveillance audits must be conducted once per year during the period of validity of the certificate (3
years).

When the set date / audit-relevant date is set for the surveillance audits, a difference must be made
between new clients (initial certification as from 01 January 2008) and existing clients (initial
certification before 01 January 2008).
New clients:
- The audit-relevant date for the annual surveillance audit, which follows the certification audit, may
not be later than 12 months after the last day of the stage 2 audit.
Existing clients:
- The audit-relevant date for the annual surveillance audit is the date of validity of the certificate
which was valid on 01 January 2008 (day and month) minus 1 month.
New and existing clients:
- The audit-relevant date controls all the following audits (surveillance and recertification audits).
- Each surveillance audit including review and acceptance and verification, if appropriate, of the
measures for correction of nonconformities, drafting of the audit report and release by the
Certification Body, must be completed at the latest 3 months after the audit-relevant date.
- within the framework of annual surveillance, a surveillance audit can be conducted at the earliest
3 months before the audit-relevant date.

Permissible tolerance for conducting annual surveillance audits:

audit-relevant date -3/+ 0 months.

The customer receives a report following the surveillance audit.

Special conditions only for MDD procedures:

As part of the surveillance audits in conformity assessment procedures according to Annexes II,V, VI
the Notified Body will review technical documentations for class IIa and IIb product on a representative
basis. The result of this review will be considered in the audit procedure.

3. Recertification audit

Recertification audits must be completed before the end of the period of validity of the certificate,
including review of the measures for correction of nonconformities.
In the recertification audit, a review of the documentation of the management system of the
organisation takes place and an onsite audit is conducted, whereby the results of the previous
surveillance programme(s) over the period of the certification are to be taken into consideration. All
requirements of the standard are audited.
Activities related to the recertification audit may include a stage 1 audit if there are significant changes
in the management system or in connection with the activities of the organisation (e.g. changes to the
law).

The audit methods used in the recertification audit correspond to those used in a stage 2 audit.
Description of certification procedure_Decription of the QM-Certification Page 3 of 5
procedure _13485_MDD_E.DOC01.10 Rev.0
 Description of the QM system certification procedure
EN ISO 13485 and /or MD-Directives

4. Extension audit

If it is intended to extend the scope of an existing certificate, this can be implemented by means of an
extension audit. An extension audit can be conducted within the framework of a surveillance audit, a
recertification audit or at a time which is set independently.

The period of validity of a certificate does not change as a result. Exceptions must be justified in
writing.

5. Takeover of certificates from other certification bodies

In general, only certificates from accredited certification bodies can be taken over. Organisations with
certificates which originate from non-accredited certification bodies are treated like new clients.

A "Pre-Transfer-Review“ must be conducted by a competent person from the Certification Body which
is taking over the certificate. This review generally consists of an examination of important documents
and a visit to the customer.

Certificates which have been suspended, or where there is a risk of suspension, may not be taken
over. Any nonconformities which have not been corrected should as far as practicable be clarified with
the previous Certifier before the takeover. Otherwise they must be dealt with in the audit.
In MDD contracts regulatory requirements on change of the Notified Body have to be considered.
The further surveillance programme is based on the programme which has been in place up to the
time of the takeover of the certificate.

6. Certification of multi-site organisations

If a multi-site organisation is being certified, these sites must also be audited. Organisations with
several production sites/branch offices/locations etc. with similar types of activity and which operate
under a single management system are certified by means of random sampling procedure.

7. Management of nonconformities

An analysis of the causes must be performed for each nonconformity and corresponding corrective
measures must be implemented. The organisation has the duty, depending on the seriousness of the
nonconformity, to inform the audit team within 60 days either with regard to the corrective measures
which have been laid down and the dates for their implementation or that the corrective measures
have been implemented. The second case generally requires to send in additional documents. In case
a verification of corrective measures cannot be implemented by document review a re-audit may be
performed. In this case a positive result of that audit shall be documented within 90 days. If this period
is not observed, the audit is considered not to be successful, i.e. not to be passed. No certificate can
be issued, or an existing certificate is withdrawn.

Description of certification procedure_Decription of the QM-Certification Page 4 of 5

procedure _13485_MDD_E.DOC01.10 Rev.0
 Description of the QM system certification procedure
EN ISO 13485 and /or MD-Directives

Special conditions only for MDD procedures:

Because of the dramatic consequences of certificate withdrawal (no CE-marked product can be
delivered) the Certification Body has to announce this measure by additional letter and ask the
customer to respond within a given timeframe.
For further details please refer to the certification regulations for medical devices.

Description of certification procedure_Decription of the QM-Certification Page 5 of 5

procedure _13485_MDD_E.DOC01.10 Rev.0