
IAF MD 9:2022, Application of ISO/IEC 17021-1 in the Field of Medical Device Quality Management Systems specifies normative criteria for conformity assessment bodies (CABs) auditing and certifying organizations’ Quality Management Systems to ISO 13485, in addition to the requirements contained in ISO/IEC 17021-1. IAF MD 9 was revised and published in February 2022. The IAF Medical Device work group has recommended a 2-year transition period. The changes are only applicable to certification bodies.
Changes in IAF MD 9:2022
The major changes in IAF MD 9:2022 include:
- 5.1.2 – The CAB shall establish appropriate agreements with their clients to release audit report information to regulators that recognize ISO 13485.
- 8.2.1 – The CAB shall precisely document the scope of certification so that it is clearly categorized under a Main Technical Area in Table A.
- 9.1.4 – Time required to audit national or regional regulatory requirements and dossier reviews shall be additional and justified, so as not to diminish the audit of the QMS.
- 9.1.5 – Sites involved in design, development, and manufacturing of medical devices (Table A.1.1-1.6) cannot be sampled.
- Annex A
- Main Technical Areas in Table A.1.1 – 1.6 are applicable to finished medical devices. Where the CAB applies for a scope of Accreditation for a technical area that has “other than specified above” in the description of technical area, the CAB shall provide a list of medical devices and include their risk classification (risk classification rules, such as those that appear in European EU MDR/IVDR or US FDA classification regulations) to the accreditation body (AB).
- The information provided shall also include a concise statement of the intended purpose of the medical device.
- The technical area “Other than specified” may only be used when no other category is applicable.
- A risk classification should be determined using an appropriate national, regional, or international risk classifications. Examples include:
- Medical Devices Classification GHTF/SG1/N77:2012
- (EU) 2017/745 Annex VIII Classification Rules
- National Classification Regulations (e.g., FDA)
- 3 new technical areas added to A.1.5 Sterilization Method for Medical Devices
- Low temperature steam and formaldehyde sterilization
- Thermic sterilization with dry heat
- Sterilization with hydrogen peroxide
- 1 new technical area added to A.1.7 Parts or services
- Other services – Consulting services related to medical devices, packaging services, etc.
- Clarified A.1.7 Parts or services – Calibration services
- Verification/confirmation services for measuring instruments, tools, or test fixtures
- Organizations providing calibration services should be accredited to ISO/IEC 17025.
- Provided clarification for when the degree of influence of an organization’s parts or service are clearly intended to support medical devices
- Main Technical Areas in Table A.1.1 – 1.6 are applicable to finished medical devices. Where the CAB applies for a scope of Accreditation for a technical area that has “other than specified above” in the description of technical area, the CAB shall provide a list of medical devices and include their risk classification (risk classification rules, such as those that appear in European EU MDR/IVDR or US FDA classification regulations) to the accreditation body (AB).
- Annex B
- Added competence matrix for technical areas – Table B.1
- Added CB Auditor competence for A.1.7 Parts or Services – Table B.2
- Annex C
- Work experience for A.1.7 – C.2
- Auditors performing audits of organizations solely under Table A.1.7 shall only meet the requirements of ISO/IEC 17021-1 and ISO/IEC 17021-3 and not those in C.2.
- Added CPD requirements for A.1.1 – A.1.6 (16 hours) and A.1.7 (8 hours) – C.4.1
- Work experience for A.1.7 – C.2
- Annex D
- Included an additional factor that may increase audit time
- When more than one main technical area is required to be audited, the audit duration shall be increased to address any additional requirements related to the additional main technical area(s).
- Provided required audit time requirements for combined audits for ISO 9001 and ISO 13485
- For a single management system, when determining the required time for a combined ISO 9001 and ISO 13485 audit, a minimum of 25% shall be added to the minimum number of audit days calculated per Annex D. Conditions where additional time may be required include differences in scope, effective number of personnel, etc.
- Combined audits – ISO 13485 audits conducted in conjunction with ISO 9001 audits
- Included an additional factor that may increase audit time