Medical device manufacturers and supporting organizations pursuing or maintaining an ISO 13485:2016 certification must conduct regular audits to ensure an adequate, effective quality system is established and maintained through a compliant Quality Management Systems (QMS).
These audit programs can be daunting and complex, making it difficult to know where to start. Between planning, coordinating, and conducting the assessment, audits like this have many moving parts, each of which critical to the project's success.
This starter guide offers some helpful guidance to help you orient yourself in the initial planning stage of such a project and how expert third party resources play an important role in ensuring these assessments are effective and efficient.
Solidify the Goal
From the very start, it's important to make sure everything is pointed at the same target. Simply stated, the goal of any QMS audit, no matter what standard is being evaluated against, is to determine whether your system is written as it should be, if that system is being maintained and followed properly, and that it's producing the right output.
Staying within these boundaries is critical for focusing your energy and hours where they should be while avoiding any temptation to pursue tangential goals.
Again, in order to be successful, a QMS audit must focus on the system itself and the processes within it, answering important underlying questions, like:
- Has the QMS been established to the extent it needs to be?
- Is it documented according to applicable requirements?
- Has it been implemented and maintained properly?
If you're assessing compliance gaps between ISO 13485:2016 and its previous edition, it's critical to highlight the changes in QMS requirements and contextualize these questions accordingly.
Table A.1 and Annex B within the ISO standard offer a useful outline of these changes and an explanation of the structural relationship between the two editions.
Keep in mind that despite these helpful resources, there are explicit details that often prompt the need for outside assistance from a third party regulatory compliance expert with extensive experience helping organizations identify process gaps and remediate them.
For example, ISO 13485:2016 requires a "risk based approach" to the control of appropriate processes and presents new requirements for validating computer systems within the QMS. Depending on the current state of your QMS, these underlying requirements often lend themselves to experienced third party assistance in order to not only capture the true scope of enhancement, but devote the time and energy required to implement changes.
Understand the Parts of an ISO 13485 Audit
Under section 8.2.4 "Internal audit," firms are required to maintain a planned and documented arrangement for internal auditing and ensure there is no delay when corrective action is necessary.
ISO 13485 breaks these internal audits into two main parts: documentation audits and on-site audits as defined in the excerpts below:
Confirming that the organization’s QMS documentation conforms to the standard and any applicable regulatory requirements – commonly called a documentation audit.
Confirming that the organization has implemented and is maintaining the QMS documentation – commonly called an on-site audit.
In comprehensive QMS audits, these are not mutually exclusive. Both are included, but differ in approach and scope.
The goal of a documentation audit is to determine whether the QMS has been adequately established and documented. An on-site audit should determine whether that QMS has been (and is being) implemented and maintained.
Establish an ISO 13485 Audit Procedure
ISO 13485 requires organizations document and implement an internal audit process to evaluate the strength of its quality processes and reveal any weaknesses.
In addition to assessing the processes that impact product quality and safety, the internal audit procedure should aid in correcting deviations and nonconformance, and be utilized as a tool for continuous quality improvement — mitigating risks and potential quality issues.
Plan and Schedule Your Audit
ISO standards require internal audits be conducted regularly. In practice, this is typically performed annually or semi-annually, though its frequency should be based on your firm's specific needs.
The project timeline of an audit can vary significantly depending on the size and complexity of your organization. No matter the duration, every project should adhere to a well-defined master schedule accessible to all stakeholders.
This schedule should arrange each area to be audited within the overall project timeline at a pace that reflects your organization's capabilities. Potential risks to the project caused by resourcing problems should be identified and mitigated.
Consider the relative importance of a given process when prioritizing each set of activities within your audit. Once a schedule is established, those responsible for leading and managing the assessments should then develop audit plans and consider what resources will be needed to effectively conduct an objective assessment.
Consider the following best practices when putting this plan together:
1. Determine audit goals and scope.
Plan out which functions and processes are within the scope of your audit activities and which specific criteria you will be evaluating against.
2. Perform an initial feasibility assessment.
You have your audit plan, but are you actually able to effectively execute on it? This is where you need to ask a number of questions that can help you avoid common auditing pitfalls:
- Have those whose functions are being audited able and willing to cooperate with the assessment in the timeline you've set out?
- Are there any conflicting deadlines that threaten your timeline?
- Is the information you need from various functions going to be made available in the time you've budgeted?
3. Staff your audit team.
Determine the competencies your auditors will need to effectively carry out your audit plan and locate the resources you need, whether internal or external. These individuals must be objective assessors who are not responsible for the areas they're auditing.
ISO defines "competence" in terms of education, experience, training, skill, and personal attributes, so use these criteria as a starting point when evaluating potential candidates. If, for instance, an auditor will need to perform process validation, you must determine if they are capable of using the statistical tools they need to do so. Details like this must be addressed well ahead of time.
(Grab our free life science validation project preparation guide here for an example of a checklist that can be used to ensure a given resource is capable of seeing a project through to completion.)
4. Coordinate with impacted personnel.
It's not enough to simply put audits on your teams' radar. You must ensure they understand what is being assessed, when the audit is scheduled for, and who will be conducting it. In addition, make sure any necessary documents and other necessary information is received ahead of time.
Whenever possible, review and organize all documentation to improve the effectiveness and efficiency of the audit ahead of time.
The documentation should include relevant information regarding the QMS and any additional requirements beyond ISO 13485 and applicable regulatory requirements. This material should represent the documented QMS required by ISO 13485 in paragraphs 4.2.1 and 4.2.2 and any other other applicable criteria.
In addition to documentation such as quality manuals and procedures, review any previous audit findings and the statuses of corrective actions that came from them.
Plan Your On-Site Audit
Planning is absolutely critical to stay on-track with your audit timelines while producing useful findings each step of the way.
An effective audit plan should cover:
- The objectives and scope of the audit
- Audit criteria and documents for reference
- Audit methods
- Roles and responsibilities
- Locations, dates, times, and duration of audit activities
- Resource allocation
- Logistics and communication needs
As part of this plan, individual processes should be mapped to the applicable clauses of the audit criteria within the standard. This can function as both a guide and checklist of completion.
During this planning stage, and to some degree during the earlier documentation review stage, working documents should be prepared for the audit. Checklists, corrective action and nonconformity reports, forms for meeting attendance, sampling plans, and other necessary documents should be organized for reference and direction during the assessment.
Once documentation is in place, the lead auditor should confirm the details of your plan with the auditee, making sure everyone has the information and materials they need before assessment begins.
Get Auditing and Remediation Support from the Industry's Top Experts
Very often, audits of this size and scope require organizations augment their internal staff with experienced external resources who can uncover systemic issues and create a plan to correct them.
Third party remediation professionals offer a fresh perspective while working diligently to analyze gaps, resolve compliance problems, and communicate your efforts to key stakeholders.
Our quality professionals bring direct experience in life science development and manufacturing to help you understand and address quality assurance needs and implement improvements to your quality system.
Our team works closely with your staff to take the lead in planning, executing, and analyzing comprehensive audits to uncover potential deficiencies and make the necessary improvements, all while empowering your staff to maintain compliance well into the future.
Our active remediation model goes beyond consulting to solve a variety of compliance problems while offering ongoing project management and training services each step of the way. Once remediation is complete, we plan, implement, and audit your quality system to ensure regulatory compliance is maintained well into the future.
Want to learn more about compliance remediation? Grab our free guide below and learn how to remedy the root causes of noncompliance.
The Complete Guide to Compliance Remediation Projects
How to Remedy the Root Causes of Compliance Issues