Transcription
Becoming an EffectiveISO 13485:2016Auditor 101Planning and Conducting QMS Audits that Yield Useful Results(and Add Value to the Business)orielstat.com 800.472.6477
Conducting an ISO 13485 QMS internalaudit? Here’s how to prepare.CONGRATULATIONS! You have been chosen (or perhaps conscripted) to conductor participate in an ISO 13485 internal quality management system (QMS) audit.For many, the prospect of coordinating and conducting an audit can be terrifying.However, believe us when we say the terror subsides with each hour of planningyou do. In this white paper we will talk about how you can lay the foundation toensure that your ISO 13485 audit progresses smoothly, yielding input that’s usefulto your company’s management review as well as its corrective and preventiveaction (CAPA) processes.The Real Purpose of the Medical Device QMS AuditEven though it seems obvious, it’s worth repeating that the purpose of conducting an audit is todetermine whether the QMS conforms to specified requirements and is effective in enabling yourorganization to meet quality objectives. In other words, you are trying to assess whether the organization’s system says what it needs to say, that you’re doing what you say you’ll do, and that whatyou’re doing is working to produce the outcomes you need. A QMS audit is not intended to evaluatethe quality of products, nor does it focus on the performance of people. The emphasis is on the QMSprocesses and the effectiveness of the entire system in meeting defined requirements and objectives.A QMS audit is not intended to evaluate the quality of products, nor does it focus on theperformance of people. The emphasis is on the QMS processes and the effectiveness of the entiresystem in meeting defined requirements and objectives.On the following pages we share auditing best practices garnered from over 50 years of trainingQMS auditors and conducting audits on behalf of our customers.2orielstat.com 800.472.6477
Basic Types of ISO 13485 AuditsAudits are planned, systematic processes carried out according to prepared working documents and audit plans. ISO 13485 talks about two main components of internal audits (section 8.2.4): Confirming that the organization’s QMS documentation conforms to the standard and any applicable regulatory requirements – commonly called a documentation audit. Confirming that the organization has implemented and is maintaining the QMS documentation –commonly called an on-site audit.While documentation and on-site audits may seem like two entirely different animals, they are not.A thorough QMS audit includes both components. The difference between the two usually is in theapproach and depth to which each of these audit components is conducted. The focus of the documentation audit centers on whether the QMS has been established and documented, while the on-siteaudit looks at whether the QMS has been implemented and maintained.A full QMS audit has four primary goals:1. Determine the extent to which the QMS has been established.2. Determine whether or not the QMS has been documented in accordance with applicable requirements – also known as audit criteria (e.g., ISO standard, applicable regulations, contracts).3. Determine if the QMS has been effectively implemented.4. Determine whether or not the QMS has been properly maintained.DOCUMENTATION AUDITAUDITCRITERIA ISO STEM Policies (manual) System procedures Work instructions(as time permits)ON-SITE AUDITPRACTICES Records Observed behavior Interviews800.472.6477 orielstat.com3
Developing Your Overall ISO 13485Audit ScheduleA well-planned audit schedule will ensure that audits are performed regularly, are conductedaccording to the importance of the process, and address the results of previous audits.Developing a master audit schedule is the first step toward planning audit activities for the year.Individual audit leaders will construct the individual audit plans to meet the schedule. An example ofa master internal audit schedule is shown below. A similar one could be developed to plan yoursupplier audits for the year.A typical ISO 13485:2016 internal audit will generally cover 2-4 areas of the organization each month throughoutthe year, depending on the size of the company.AUDIT PROCESSESJANFEBMARAPRMAY Inspection – ProcessInspection – Final Standards Lab Testing Trainingorielstat.com 800.472.6477 Sales NOV Quality Control4OCT Quality AssuranceWarehousingSEP PurchasingShippingAUG Inspection – IncomingEngineeringJUL Contract AdministrationDesignJUN DEC
Preparing for Your ISO 13485 QMS AuditWhen planning an audit, it is tempting to skip some of the steps below and go immediately to creatinga checklist and schedule. However, the process of initiating the audit is vital to the audit’s success.Here are the steps you should take.12345Appoint the lead auditor. The first basic step is to figure out who will lead the audit team. Ifyou work for a small company, that might be you! This person will be responsible for allphases of the audit.Define audit objectives, scope, and criteria. This is an important step. You need to definewhich facilities and/or departments are involved and which processes will be audited. Defining the audit criteria (i.e., ISO 13485:2016) and additional applicable regulatory requirements(e.g., 21 CFR 820 and/or EU Medical Device Regulation 2017/745) is also imperative.Determine the feasibility of the audit. You need to ensure that you will be able to conductthe audit as planned. Will you have adequate cooperation from auditees? Are any of thepeople involved working on a major deadline that would take away from their participation?Will any of them be on vacation? Is there adequate time and budget to conduct the audit? Willall the information you need be made available to you? Don’t assume. Verify.Select the audit team. If your company is small, you may comprise the “team.” If yourcompany has more than, say, 150 employees, insources design, makes high risk-products,etc., it is possible that you may need 2 auditors on your team. In selecting the audit teammembers, consider which competencies are needed, how long your audit will last, the scopeof the audit, and time constraints. The first rule of auditing is that an auditor cannot examinean area for which he/she is responsible.Regarding competence, consider this example: An auditor who needs to interview management regarding management processes (e.g., resource processes, results processes, etc.)should have some minimal business experience. An auditor who needs to verify process orproduct measurements may need to have knowledge of quality and statistical tools. That’swhy ISO defines competence in terms of education, training, skill, experience, and personalattributes.Establish initial contact with the auditee(s). With a lead auditor chosen, the team determined,the scope defined, and other factors considered, it’s time establish contact with your auditees.Make sure affected members of your organization (or your supplier) understand the scope ofthe audit you are conducting, when the audit will be conducted, and who is on the team.Request access to all relevant documents and, if you are auditing a supplier, ask for a map orsketch of their facility that has the departments clearly labeled.800.472.6477 orielstat.com5
Conducting a QMS Documentation ReviewThe purpose of the documentation review is to determine whether or not the QMS has beenestablished and documented. Accordingly, where possible, try to review all documentation beforethe on-site audit activities commence. This will help you prepare for the on-site audit effectively andefficiently. Typically, auditees are required to submit a quality manual and procedures before theon-site audit.The documentation should cover relevant information regarding the QMS (e.g., scope, exclusionsthat may exist) and any additional requirements beyond ISO 13485 and applicable regulatoryrequirements (e.g., customer requirements and/or supplier agreements). It should represent thedocumented quality management system as required by ISO 13485 in paragraphs 4.2.1 and 4.2.2 orother applicable criteria. If you are auditing a supplier, sometimes it might not be possible to get thequality manual ahead of time for proprietary reasons. If that’s the case, allocate time for a review atthe beginning of the on-site audit. Organizational charts are helpful, so make sure you get a copy.In addition to the manual and procedures, review: Promotional literature and website pages Previous audit findings and status of corrective actions Supplier agreements (if auditing a supplier)Role of the Lead AuditorEvery audit has a lead auditor – even if it’s the only auditor! This person represents theteam in communication with the auditee and management. The lead auditor also defines therequirements of each audit assignment, including qualification of other audit team members.Here are some of the lead auditor’s additional responsibilities: Plan the audit. Assign audit responsibilities to each audit team member. Make effective use of resources during the audit. Organize and direct audit team members. Provide direction and guidance to auditors in training. Lead the audit team to reach conclusions. Prevent and resolve conflicts during the audit. Prepare and complete the audit report.6orielstat.com 800.472.6477
Creating the QMS Audit PlanStarting an on-site audit without a detailed plan is a surefire way to waste a lot of time, frustrate alot of people, and leave without generating useful output. In an ideal world, you should spend2 hours planning every hour of audit time. A detailed audit plan should cover: Audit objectives and scope Audit criteria and reference documents Locations, dates, times, and duration of audit activities Audit method to be used, including the extent of sampling Roles and responsibilities of the audit team members, guides, and observers Allocation of appropriate resources to critical areas of the audit Logistics and communications arrangements (usually for supplier audits)This is an example of an internal audit plan for a single internal process.AUDIT PLAN FOR ISO 13485PURPOSE: Quality System Evaluation ofDesign/Development Control for ISO 13485SCOPE: Design Control for Med-i-CareAUDITORSEPTEMBER 20, YYYY9–9:15J.T. Kirk (Lead)H. SuluAUDITEE: Dept. 31 – EngineeringREPRESENTATIVE: G. HillLEAD AUDITOR: J.T. KirkPRODUCT: Surgical ToolsOpeningMeeting9:30–10:3010:45–11:45Design and DevelopmentPlanning and FilesDesign and Development Transferand ChangeDesign Input/OutputDesign and Development Review,Design and DevelopmentVerification and ValidationOpening Meeting: 9:00 September 20, YYYYClosing Meeting: 12:30 September 20, YYYY12:30–1:30ClosingMeetingNote: List of applicable procedures to be audited is attached.J.T. KirkPrepared by:August 23, YYYYJ.T. KirkM. ScottApproved by:August 24, YYYYM. Scott800.472.6477 orielstat.com7
This is an example of an ISO 13485:2016 audit plan for individual processes. It also shows the ISO 13485:2016clauses that would typically be relevant for each process.PROCESS4.1 4.2 5.1 5.2 5.3 5.4 5.5 5.6 6.1 6.2 6.3 6.4 7.1 7.2 7.3 7.4 7.5 7.6 8.1 8.2 8.3 8.4 8.5Management Customer ibrationSales/MarketingQuality AssuranceQuality ControlAccounting/Finance Creating Your Working DocumentsAn essential part of the audit planning stage involves preparation of the working documents. You’llusually do some of this in parallel with the documentation review portion of the audit, which will giveyou information about specific topics and information paths to follow during your on-site audit.Working documents typically include checklists, audit sampling plans and forms for recording meeting attendance, audit evidence, and audit findings (corrective action reports, nonconformity reports).Checklists are good tools, as they save valuable time and ensure that important items are not missedduring the audit. It is worth spending time on these, because checklists can be adapted for use inother audits and improved based on your experience over time. Just remember: As you’re auditing,don’t use checklists like a script; instead, consider them only as a guide. Also, don’t forget to safeguardand treat your audit documents as confidential or proprietary at all times.Notifying Your AuditeeThe final step in the preparation phase is to confirm the audit details with your auditee. This correspondence comes from the lead auditor and must follow company procedures and address all points fromany previous phone discussions, meetings, or emails. The notification must confirm the date, time, andplace of the opening meeting and include the audit plan and proposed schedule/agenda. (Optionally,you could include a copy of your checklists if they will aid understanding, but there are pros and cons todoing so.) The purpose of this notification is to ensure there are no misunderstandings.8orielstat.com 800.472.6477
A detailed audit plan will be very specific about times, participants, and process areas.AUDIT PLAN FOR ISO 13485PURPOSE: Evaluation for CertificateSCOPE: Milltown, CA SiteAUDITEE: Superior Products, Inc. (SPI)REPRESENTATIVE: G. HillAUDITOR: Oriel STAT A MATRIXLEAD AUDITOR: J.T. KirkJuly 26, YYYYAuditor 1Auditor 2Auditor 38:00–8:15Arrive on siteArrive on siteArrive on site8:15–8:45Opening meetingOpening meetingOpening meeting8:45–9:30Tom Gauss,Measurement SystemsJohn BlackTom Silver (plating process)9:30–11:00John Smith, VP(re: mgt. program)Ellen Brown, DesignDavid Jones, Mgr. (re: training)11:00–12:00Jack Gordon, Mgr.(re: audit program)Carol Baker, Mgr. (re: corrective& preventive action)Larry Gomez, VP(re: 002:00–3:15Ed Burke, Eng.(re: operations control)Joe Green, Eng. (re: planningof realization process)Susan Green, Mgr.(re: customer satisfaction)Robert Hall, VP (re: purchasing)3:15–4:45Tom Sparky (re: Welding Shop)Alice White, Mgr.(re: documentation)Jim Dayton, Mgr. (re: pening Meeting:Debriefing:2nd Shift Observations:Closing Meeting:July 26, YYYY, 8:15 a.m.July 26 & 27, YYYY, 4:45 p.m.July 27, YYYY, 6:00–10:00 p.m.July 28, YYYY, 2:00 p.m.Note: This is the first day of a three-day audit. List ofapplicable procedures to be audited is attached.Prepared by: J.T. Kirk, July 7, YYYYApproved by: M. Scott, July 8, YYYYThe Opening Meeting of the On-Site AuditYou have spent weeks preparing for your audit. All documentation has been reviewed, schedulescreated, auditees notified, and checklists confirmed. Now it’s time for the scary part: Conducting theaudit! If you have done your job well to this point, the audit should be the easy part because you willsimply be executing a well-choreographed plan.On the morning of Day 1, you will host the opening meeting. There are many things you will want toaccomplish during this meeting, including:800.472.6477 orielstat.com9
Record the name and title of all participants. Introduce audit team members and state each member’s responsibilities.–– Ask the auditee team to do the same. Discuss the responsibilities of auditee management. Confirm the purpose and scope of the audit, and confirm the audit plan (typically sent a few weeksprior to the opening meeting). 1 Describe the audit methodology (e.g., interviewing, observing, reviewing documentation, takingnotes, recording findings, classifying nonconformities, etc.). State the audit objectives and emphasize that the audit will try not to interfere with operations. Confirm the working hours, meal breaks, and time for daily debriefings. Confirm the time of the closing meeting, and state how long it will take after that meeting until theaudit report is issued.Average ISO 13485:2016 Audit DurationISO audit duration is based on the number of employees in the facility and the scope of the QMS.The risk associated with the device is also a factor. For example, there is certainly more risk associatedwith manufacturing heart valves than manual wheelchairs, and this impacts audit length. TheInternational Accreditation Forum documents MD-5 and MD-9 set guidelines for internal auditdays as well as general protocols for conducting an ISO audit. It should be noted, however, that thistype of audit length determination is trending out with the use of audit duration calculations usedin the Medical Device Single Audit Program Model (MDSAP). MDSAP audits are based on the numberof elements to be covered in the audit. These types of audits can be considerably longer than anISO audit.What Is MDSAP?The Medical Device Single Audit Program – or MDSAP – allows a single audit of a medicaldevice manufacturer’s quality management system (QMS) to satisfy the regulatoryrequirements of Australia, Brazil, Canada, Japan, and the United States. The MDSAPaudit model covers the requirements of ISO 13485 plus Good Manufacturing Practicerequirements for each applicable regulatory authority.The MDSAP program does not yet extend to cover the quality and safety requirementsof Europe. Thus, you will still need to undergo a separate Notified Body audit tomaintain compliance with EU requirements.1Note that the scheduled times of daily debriefings and the closing meeting should be included in the audit plan.10orielstat.com 800.472.6477
Conducting the On-Site Audit and Avoiding Rabbit HolesAll that preparation you did in the weeks leading up to the audit will now pay off. You should makeevery effort to deal directly with the people involved in implementing the system. People, not documents,make or break a system. When you start performing the audit, it is important to remember that anaudit is really a method of sampling and is conducted to get a sense of what is happening. Considerstratified random sampling to focus the audit based on risk (e.g., rather than taking a random sampling of purchase orders, stratify the population by criticality to focus on what is important). You needto be sure that the auditee is not cherry-picking documents to show you. You should dictate thedocuments you want to see, reviewing the requisite number of samples stipulated in your audit plan.During the audit, you will invariably come across people who nervously ramble, digress, or areintentionally vague or evasive. In these cases, it is important that you remain courteous but persistent. Be polite but insist on getting details needed to answer the question. Don’t go down the rabbithole with someone who is trying to explain something that is irrelevant. It is the auditor’s job to keepthe auditee on track and extract the information needed. That being said, you are encouraged toexplore problems to the fullest extent possible rather than skipping over a problem so you can touchlightly on other subjects. Accordingly, you may need to go beyond your checklist to dig deeper andlook at key process interactions that may be relevant (e.g., purchasing and production interaction).Audit Interviewing TipsAuditees often get nervous during an ISO 13485:2016 audit because they sometimes feel as thoughthey are being personally interrogated. To gain their cooperation, it is important that you set a commonality of perceived purpose in the opening meeting. Your common goal is to ensure that thecompany has a quality management system that is effective and conforms to requirements, not tothrow someone under the bus. Make sure to tell the auditee that you will be taking notes during aninterview. Refer to your checklists repeatedly but don’t read verbatim from them; instead, use thechecklist items as a framework for discussion. To get relevant, complete information from auditees,follow these guidelines: Don’t be sarcastic, argue, or criticize people’s efforts. Don’t be negative. Don’t reveal your opinions but don’t be overly secretive. Don’t question beyond your level of knowledge. Don’t get into company politics or personalities. Don’t be late!Remember, although the audit may be the most important thing in your professional life at thismoment and you may feel like the most powerful person in the room, your presence is an imposition800.472.6477 orielstat.com11
for the auditee. They have other work to do. With limited time to collect the information you need,think carefully about how you ask questions. Consider these alternative examples: Do you issue new revisions? How do you issue new revisions?The second question (i.e., an open question) is likely to reveal much more information about who,what, when, where, why, and how revisions are issued. Also, keep personnel dynamics in mind.Auditee personnel may hold back information if their boss is also in the room.10 Tips for Effective Communication1.Stop talking – you cannot listen if you are talking.3.Show the speaker you want to listen – look and act interested, make eye contact.2.4.5.6.7.8.9.Put the speaker at ease – create a permissive environment.Remove distractions – put your phone on silent, avoid doodling.Empathize with the speaker – try to help yourself see his/her point of view.Be patient – allow plenty of time, never interrupt.Hold your temper – someone may take the wrong meaning from your angry words.Minimize criticism – you want people to remain open and willing to share.Ask questions – this shows that you are actively listening.10. Stop talking – yes, it’s worth mentioning twice.Recording and Discussing Your ObservationsAudits can be exhausting, and you’ll be eager to go home at the end of a long day. Resist the urge! It isvital that you conduct a debriefing at the end of each day (not the next morning) to discuss observations with your audit team members and ensure that team members are performing their assignedfunctions. Document your observations so each team member can evaluate results for potentialnonconformities. Also, you’ll sleep better that night with all of your insights safely put on paperinstead of cluttering your brain.Don’t meet only with your audit team. It is important that you keep the auditee fully aware of what isbeing observed. Meet with the auditee per an established schedule for debriefing and report good aswell as nonconforming conditions.12orielstat.com 800.472.6477
Whew, You Made It – the Closing MeetingWhen the audit is complete, the audit team will conduct a closing meeting with the management teamto formally present positive findings, cite concerns, share opportunities for improvement, and clarifymisunderstandings. This meeting and the final ISO 13485 audit report are critical to the success ofthe audit, so the lead auditor must be fully prepared with notes covering all areas.The purpose of the closing meeting is to present logical and fact-based explanations of the strengthsand weaknesses of the quality management system. You will want to explain to management that theaudit investigated only a sample of activities and that there may be other nonconformities the sampling did not uncover. This is especially important for people to understand because an actual FDAinspection or Notified Body audit may uncover different issues. You don’t want people pointingfingers at you if observations arise that were not revealed by an internal audit.With regard to nonconformities, it is best not to raise these for the first time during closing meetings.Always bring the issue up during the audit and give the auditee an opportunity to explain somethingyou may have misunderstood. If there is still evidence of a nonconformity, let the auditee know then.Also, make sure you give credit where credit is due, particularly in areas where procedures have beenshown to be effective. When covering deficiencies, focus the auditee’s attention on the significance ofthe nonconformities (major versus minor). Get agreement on a timeframe for creating a correctiveaction plan, and a deadline for addressing those deficiencies. You should also state the date when thefinal audit report will be issued. Finally, although not required (especially with internal audits), it’s agood idea to keep minutes of the meeting and record attendance.Preparing Your Written ISO 13485 Audit ReportYou’ve spent weeks preparing for your audit and several days conducting it. Now comes the time toformally put your thoughts and findings on paper. The purpose of the audit report is to present theauditee with a written record of nonconformities and provide a full account of audit evidence thatsupports these nonconformities. In general, your audit report should: Describe the audit purpose and scope. Identify all audit team members. Identify people who attended the opening and closing meetings. Describe the strengths of the QMS. Describe each system nonconformity.–– Typically, people’s names are not linked to process nonconformities, only to their job function(e.g., supervisor, etc.).800.472.6477 orielstat.com13
Provide audit evidence to support each nonconformity. Describe concerns and opportunities for improvement. Provide a conclusion (e.g., “The audit shows that the QMS has remained effective with a few exceptions, as revealed by the nonconformities as follows ”).Don’t forget – your report should not contain surprise nonconformities that were not discussedduring the audit and in the closing meeting.How Much Detail Goes into the Final Audit Report?The nature of the audit will determine the characteristics such as the length, format, emphasis areas,and sequence. Nonetheless, the formal report should contain a highly detailed description of thequality management system’s strengths, nonconformities, audit evidence, opportunities for improvement, and areas of concern. It should include: Executive summary Audit overview, including:–– Date of the audit–– Purpose of the audit and scope–– Audit criteria (e.g., ISO 13485:2016 standard)–– Persons contacted during the audit and the audit team–– Approvals and signoff by lead auditor Specific nonconformity reports Specific concern reports (could become future nonconformities)Nonconformity reports are an essential component of an audit report. Concern reports are also a useful wayto head off future minor or major nonconformities.NONCONFORMITY REPORTNote #: IL1CONCERN REPORTNote #: IL2Standard: ISO 13485Company Under Audit: General GoodsStandard: ISO 13485Company Under Audit: General GoodsRequirement: 4.2.4Area Under Review: Calibration LaboratoryRequirement: 7.5.8Area Under Review: Pinion onformity:MAJOR MINORThere is no documentation procedure for the control of documents.Audit Evidence: The organization could not produce a documented procedure forthe control of documents. The management representative stated to the leadauditor that the procedure was in the development stage.Audit Evidence:Concern:Concern: The chalk used to identify product that passes test no. 1 in the pinionlab test could rub off, thereby leaving the product unidentified relative to teststatus. A number of products had a portion of the chalk mark missing severalworkstations later in the process flow.Auditor:14J.T. KirkDate: February 13, YYYYorielstat.com 800.472.6477Auditor:J.T. KirkDate: February 13, YYYY
The content of the ISO 13485 QMS audit report must represent the conclusions of the lead auditorwith input from the entire audit team, and not just the viewpoints of individuals. This gives the auditee the benefit of the collective experience of all team members and reduces bias.The lead auditor will decide if the scope of the audit warrants including corrective action requests inthe final report. Your audit report should be sent to the auditee as soon after the closing meeting aspractical. This is important because it reinforces the points you made during the closing meeting andkeeps those issues top of mind with the auditee management team.ISO 13485 Internal or Supplier Audit Follow-Up ActivitiesNow that you’ve crafted a beautifully detailed report and submitted it to the auditee, you’re finished –right? Not so fast. The last thing you want is to show up at the next audit only to find out that nothinghas been done to address nonconformities described in your audit report. Inaction would certainlyfrustrate you and it would not be good for the company. Thus, after the closing meeting has occurredand the audit report has been sent to management, your goals are to: Ensure the management team fully understands the nonconformities via audit report distribution. Make sure the auditee prepares timely corrective action plans to address any nonconformitiesfound. Ask the auditee to identify the people who will initiate and implement the corrective actions. Evaluate the auditee’s corrective action plan responses to determine the completeness of the plan. Verify the completion and effectiveness of corrective actions, which may include a follow-up audit. Determine the need for surveillance visits.It’s also a good idea to make sure the organization has a methodology to address corrective actions.If not, this would be a good opportunity for improvement. Without a methodology supported by tools,chances are that the CAPA system will not be effective.As part of the follow-up process, you should also retain or destroy documents pertaining to the auditin accordance with any agreements, procedures, and applicable statutory, regulatory, and contractualrequirements.Your Work Will Never Be Done, and That’s GoodAs an auditor, you play a critical role in the health of your organization’s quality management system,and ultimately the safety of the medical devices your company produces. That’s an important responsibility, which needs to be taken seriously. The benefits
Basic Types of ISO 13485 Audits Audits are planned, systematic processes carried out according to prepared working docu-ments and audit plans. ISO 13485 talks about two main components of internal audits (section 8.2.4): Confirming that the organization’s QM
