In this blog, we’ll break down what the two ISO 13485 audit stages involve - and why mis-timing them can lead to serious setbacks, including:
To bring this to life, we’ve enlisted the help of Quality Consultant Sam Shelley, who shares practical, video insights on what auditors are looking for at each stage, and how companies get tripped up when they don’t plan ahead.
Before you can gain ISO 13485 and bring a medical device to market, your Quality Management System (QMS) must go through two key audits. These audits are part of the process required by ISO/IEC 17021-1 — the international standard that ensures inspections of management systems are carried out consistently and competently.
In the EU and UK, successfully passing these audits is a major step toward applying for the CE or the UKCA marking for your product, and getting legal permission to market your medical device in those regions.
But with the revised Quality Management System Regulation (QMSR) bringing FDA requirements into lockstep with ISO 13485, it's now essential for U.S. medical device companies to understand how this external audit process works, too.
Whether you are being audited by a Notified Body (NB) in the EU (or the equivalent Certification Bodies in the US or Approved Bodies in the UK) the same two stages apply.
Each stage serves a distinct purpose:
Watch: Quality consultant Sam Shelley explains what happens in a Stage 1 audit
In the Stage 1 audit the Notified Body evaluates whether your Quality Management System (QMS) is fully implemented and meets ISO 13485 requirements.
During this audit, the NB will review:
The goal of this audit is to confirm your QMS is functional before moving to Stage 2.
Watch: Quality Consultant Sam Shelley explains what the Stage 2 audit entails:
The Notified Body assesses whether your organisation is actually following its documented procedures. This includes reviewing:
A key requirement for medical device manufacturers is that by Stage 2, you must be at least in the validation phase of product development. If you haven’t reached clinical evaluation at that point, you may fail to demonstrate compliance with Clause 7 of ISO 13485 (Design & Development Controls).
Planning your ISO 13485 audits isn’t just a box-ticking exercise - it’s strategic decision-making that can make or break your product launch timeline. Here are some of the the most common audit scheduling mistakes - and why they’re so damaging:
Watch: Consultant Sam Shelley explains why audit scheduling often goes wrong:
Many companies mistime their audits, which can lead to costly delays:
|
Mistake |
What happens |
Why it’s a problem |
|
Scheduling Stage 2 too soon after Stage 1 |
Insufficient time to generate the records and objective evidence required for Stage 2. |
Can lead to audit failures or major non-conformities that delay certification and market access. |
|
Going too early with Stage 1 |
Your QMS may not be fully implemented or mature enough for evaluation. |
Results in early audit failures and a delayed timeline while corrective actions are implemented. |
|
Leaving too long between audits |
Exceeding the 6-month limit between Stage 1 and Stage 2 (per ISO/IEC 17021-1) may trigger a redo. |
You'll have to repeat Stage 1, wasting time, resources, and potentially missing product launch windows. |
To ensure a smooth certification process, here are a few best practices to bear in mind:
|
Step |
Recommendation |
Why it matters |
|
Align audits with product development |
Time your Stage 2 audit around your clinical evaluation phase, when validation evidence is available. |
Stage 2 requires objective evidence of validation—aligning timelines avoids certification delays. |
|
Schedule Stage 1 at the right time |
Plan your Stage 1 audit at least three months before Stage 2 and ensure your QMS is fully implemented. |
Gives you time to resolve any gaps or findings before the final certification audit. |
|
Build a contingency buffer |
Allow for at least three months of flexibility to absorb delays in verification or validation activities. |
Helps avoid last-minute rushes or failed audits due to unforeseen project slippage. |
|
Use internal audits to prepare |
Conduct regular internal audits in the lead-up to Stage 1. |
Identifies non-conformities early and demonstrates QMS readiness to the certification body. |
Your ISO 13485 audit schedule must align with your product development timeline and regulatory requirements. Poor planning can result in delays, compliance issues, or even a failed certification process. By strategically timing Stage 1 and Stage 2 audits, ensuring a fully implemented QMS, and allowing time for corrective actions, you’ll set your organisation up for a smooth and successful certification process.
Choosing a proprietary Electronic Quality Management System (eQMS) to organise your quality documentation and process is the most reliable way to prepare your company for a stress-free audit.
But you should be careful to ensure that the system you choose can scale with your requirements if you’re not going to get tied up in red tape as you prepare for inspection. There are some systems that rigidly prescribe the SOPs you’ll need in place to meet the ISO 13485 standards. In forcing you to change the way you work. This may create gaps between your process and your documentation that will quickly be detected in your stage 2 audit.
Luckily, there is another way.
Choosing a flexible eQMS like Cognidox can help you structure your documentation and compliance process around your existing process, rather than dictating the way you must work.
Cognidox is a system that impresses ISO inspectors and empowers your team to work smarter - not harder. With intuitive controls, powerful traceability, and built-in governance, you’ll have everything you need to pass audits and accelerate time to market."
Find out more about how Cognidox helps med tech start-ups and scale-ups stay in control as they grow.