For many medical device organizations, implementing an ISO 13485 management system, the supporting process internal auditing has not the primary focus. Many organizations don't have internal audit programs before embarking on the ISO 13485 implementation process, and others have partial programs focused only on specific design, manufacturing or service processes.
In this blog, we would like to provide guidance on implementing an effective audit program and explore opportunities resulting from its implementation and management. These opportunities relate to organizations in the process of implementing systems as well as those with mature quality management systems and internal audit programs.
Audit Program
Conducting effective internal audits is crucial to the effective operation of the quality management system (QMS). Using the feedback provided by such audits and other information sources, such as complaints and service records, the organization closes the feedback loop to provide assurance that the QMS processes are operating in a state of control.
Planning of the internal audit program should permit changes in the emphasis and intervals based on associated risk as it is required by ISO 13485 (cl. 8.2.4):
An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits.
The majority of organizations start to experience the misconception of the terms: audit program, audit plan, audit schedule, audit agenda and so on, due to ignorance of the existence of ISO 19011 (Guidelines for auditing management systems) while it’s cited in internal audit section of the standard. We highly recommend manufacturers getting familiar with ISO 19011 as it provides more detailed information.
ISO 19011 defines audit program as follows:
Audit program - arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
Basically the audit program lists all the internal audits planned by the organization for a certain period of time 1 year, or 3 years, for example. Organizations may establish one general audit program that will include internal audits as well as any external audits by Notified Bodies pr clients, supplier audits, etc. However, ISO 13485 requires the audit program for internal audits only.
The audit program shall at least contain audit criteria, scope, interval and methods as required by ISO 13485, where ISO 19011 recommends to take into account factors such the objective, scope and duration of each audit and the number of audits to be conducted, reporting method and, if applicable, audit follow up, results of previous audits and previous program review, language, cultural and social issues, the occurrence of internal and external events, such as nonconformities of products or service, information security leaks, health and safety incidents, etc.
We recommend to include in the audit program the following:
- Audit type
- Process(es)/Product(s) in scope of the audit
- (Lead) Auditor(s)
- Planned date
- Execution date
- Audit No. (for internal tracking)
- Frequency (once in the 1, 2, or 3 years or more than once a year)
- Audit criteria (the requirements used as reference against which objective evidence is compared).
- Audit methods (e.g., onsite or remote audit, interviews of auditees, inspection of documents and records, and witnessed production visits).
The key here is to remember that the audit frequency shall be established according to process importance, status, and results from previous audits. The example below shows that the impact of the process to a QMS and the status of the process during last year, for example, defines different frequency of the audit of this particular process within the organization’s QMS.
The organization may also increase the frequency based on changes to the product or process. For example, a major change to a product or process could necessitate a focused audit in a particular area or set of requirements. To support this, the organization could, for instance, conduct a focused audit of the design and development process for a particular product in addition to the planned one.
An internal audit program is typically established every year and confirmed as a part of the management review. All processes/areas need to be covered by at least 1 internal audit during a certification cycle, which can be extended to 3 years.
The next important definition comes from ISO 19011:
Audit plan - description of the activities and arrangements for an audit.
An internal audit plan shall be established separately for each internal audit taking into consideration the status and importance of the processes and areas to be audited. The following is typically defined in the internal audit plan:
- Auditee(s). The organization as a whole or parts thereof are being audited as defined in ISO 19011. Although as a common practice auditee(s) are employees in medical device manufacturing.
- Audit number. The unique number of the audit.
- Audit objectives. The internal audit has 3 main purposes: to verify compliance with the standards and regulations, to verify compliance with own QMS and to identify opportunities for improvement.
- Audit scope. The scope of the internal audit must be defined. It generally includes a description of the physical and virtual-locations, functions, organizational units, activities and processes, as well as the time period covered.
- Audit criteria. The overall audit criteria are determined by the internal audit program and any audit-specific requirements are documented (e.g., product-specific standards).
- Audit team. Name(s) and role(s)/function(s) as applicable of the audit team members (auditors and technical experts). The audit team leader (lead auditor) is identified.
- Audit date(s). The date(s) the audit will be conducted.
- Audit agenda. The schedule of the internal audit activities.
- Audit documentation. Documents/records required to prepare for the internal audit (e.g., Quality Manual, internal audit procedure, previous internal audit reports).
- Audit methodology (document/records review, interviews, remote / onsite, ..)
Thus, the audit agenda is one element of the audit plan that typically defines date, time, topic (process(es)), auditor(s), auditee(s) and location of the audit.
The internal audit plan must conform to the approved audit program and is in advance distributed to the management having the responsibility for the processes/areas or products with a defined timeline (for example, a minimum of two-three weeks prior notice).
Internal audit team
Developing an appropriate strategy for internal audits is one of the most important initial exercises. This also includes the identification of who will conduct the audits, how auditors will be trained, and determining audit frequency. The level of intensity and frequency of internal audits will help determine the audit team's size and training needs.
Bigger and highly dynamic medical device organizations typically benefit from more frequent audits; where smaller organizations will maintain more relaxed schedules. And again an organization that needs more frequent audits may benefit from keeping a larger pool of trained auditors. This would minimize the total time each auditor spends on an audit and increases the impartiality of the audit process.
The auditors must not have responsibility within areas they are auditing. However, there is a strategic advantage to selecting auditors whose departments' processes relate to the areas they are auditing. For instance, a purchasing person could audit shipping and incoming inspection, R&D could audit manufacturing, and manufacturing could audit quality aspects of the QMS, etc. Auditing a closely allied department enables auditors to gain in-depth knowledge of these departments' processes, which may later contribute to refining and improving the management system.
Internal auditors trainings and qualifications
All internal auditors must be trained in conducting audits. Effective auditor training is probably one of the single greatest value-added opportunities companies have with regard to their QMS. The training should be appropriate for the complexity of the areas to be audited and include training on the company's internal audit process and systems as well as training on the applicable audit criteria. Auditors and all employees should understand that internal audits are system audits, not people audits.
Some medical device organizations send employees to outside internal auditor training, some educate and qualified internally. Both options have their pros and cons. Clearly, being able to train and rotate internal auditors holds additional benefits. In many medical device organizations, for instance, operators spend their careers in one type of position. Becoming an internal auditor helps and allows an employee to play an important role in maintaining the company's quality management system, thus creating workplace variety and potentially increasing job satisfaction.
The requirements for the auditors qualification can be described in the internal audit procedure or either human resources procedures and the records shall be maintained and available for any external audits if necessary.
In case the internal audit is conducted by auditors external to the organization, their training and competencies shall also be established and, as a practice, auditors external to the organization must come from a qualified supplier. As for internal auditor, a record of their qualification shall be maintained and available (resume, certificates,…) and they need to be trained to your internal audit procedure.
Conducting internal audits
The audit starts with an opening with auditee(s) and/or management having responsibility for the audited area, audit team and management representative(s) if necessary. During the opening meeting, the audit plan is to be confirmed, and the audit team explains the classifications of audit results and reporting process.
Internal audits should not be performed against an ISO 13485 standard or 21 CFR Part 820 only, but rather the organization's QMS processes, although mechanisms for evaluating the adequacy of a management system to meet international standards can be integrated into internal audit systems.
The qualified auditors should follow the initial audit plan to review the quality management system. It is usually beneficial to develop an intensive plan and agenda at first, strictly to verify the quality management system's implementation. Once the company has gained confidence in the system's implementation, it should develop a plan that provide more aggressive coverage of areas requiring the most attention. For organizations with mature QMSs these areas can be weighted based on the results of previous audits as well as relative importance to the quality management system's objectives.
Many companies use audit checklists to help guide auditors through audits of specific processes and departments. These checklists help establish audit trails by prompting the auditor to review related systems and they often demonstrate to outside auditors exactly what internal auditors examined. We do not recommend manufacturers to stick to the same checklists every year in order to prevent internal auditors to loose the holistic and broad view on the quality management processes status.
Information collected by the audit team is done by the audit methodology as documented in the audit program and plan as explained before. The audit findings are documented in the audit notes and checklist and the last – audit results shall be summarized by the audit team by the end of the audit during the closing meeting on the last internal audit day and presented to the attendance. Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee should be discussed during the closing meeting and, if possible, resolved. If not resolved, this should be recorded.
Reviewing the results
Once audits are performed, the outcome should be reviewed and subordinated. Some findings may require the use of the corrective action system; others may have simpler corrections. Such actions are usually decided and undertaken by the auditee within an agreed timeframe. It has never been the auditors' responsibility to follow up on the findings and approve the corrective action plans.As appropriate, the auditee should keep the individual(s) managing the audit program and/or the audit team informed of the status of these actions. The completion and effectiveness of these actions should be verified. This verification may be part of a subsequent audit. The results of the audits and corrective actions should be included in management reviews in order to close the internal audit loop.
Concluding, we would like to emphasize that of all the elements of the quality management systems, the internal audit is the most time and effort-consuming once a system is implemented. Making the most of internal audits may create greater employee involvement, improve job satisfaction and provide more opportunities for continuous improvement of the existing system. Qserve auditors have extensive experience in establishing effective audit programs and conducting internal audit activities. Don’t hesitate to outsource your internal audits and improve your internal audit system today.