Contact Us

Simple Guide for ISO13485 Auditing

This document provides simple guidance and details you would need to set up your internal auditing process to comply with the ISO13485 standard and FDA regulations. You can contact us to get a word document of this procedure and the related forms.

ISO13485 audit requirement
ISO13485 audit requirement

1.0 Purpose:

This procedure describes the internal auditing process to evaluate the effectiveness of ISO13485 Quality Management System (QMS) at Qualcy Systems Inc, (QSI) against the requirements for ISO13485 Standard and Internal business processes.

2.0  Scope

This procedure covers all processes related to ISO13485 except the sections which have been excluded. The excluded sections have been documented in SOP1006: QSI Quality Manual.

3.0 Responsibilities

(A) Quality Assurance manager or the designee shall:

->Ensure that the QSI adhere to the approved audit schedule which include audit at least once in a year.

->The criteria to be used, the scope of the audit, and the audit frequency within the schedule shall be based on:

      (1) Previous ISO13485 audit results.

      (2) Results from customer complaint trend analysis.

       (3) Major changes in ISO13485 the Quality Management System

       (4) The methodology applied: process, product, system audits, and the relative importance and complexity of processes.

       (5) Individuals selected must be independent of those having direct responsibility for the activity or process that is being evaluated.

       (6) Auditors should be qualified. Qualifications can be based on formal training, experience, or under the supervision of a lead auditor.

        (7) Ensure audit results are presented in the Management Review Meetings for improvement.

(B) Lead Auditor/Team shall:

       ->Ensure that previous and or related audits are reviewed as part of the audit process. Also, confirm that participating auditors have met the qualification requirements.

     ->Write an Audit Summary Report within 30 days of the audit.

    ->Document findings and the audit report in the Qualcy EQMS system or using the RF0091 (Internal Audit Report Template).

(C) Auditee shall:

(1) Provide support, information and input as requested by the Auditor.

(2) Respond to the audit findings in timely manner.

(3) Notify the lead auditor of any changes to the action plans, etc.

4.0 References

(1) SOP1001, Document Control and Change Procedure

(2) RF1091 Internal Audit Report Template

(3) SOP1011 Corrective and Preventive Action (CAPA) Procedure

(4) SOP1005: Employee Training Program

(5) SOP1006: QSI Quality Manual

(6) ISO13485 Medical Devices Quality Management Systems Requirements for Regulatory Purposes

Food & Drug Administration reference 21 CFR Part 820 Quality System Regulation

Food & Drug Administration reference 21 CFR Part 211 Current Good Manufacturing Practice for Finished Pharmaceuticals

 5.0 Notes and Definitions

(1) Auditor Qualifications: All auditors shall have the training, education and experience to perform audits. The minimum training and experience requirements for internal auditors are outlined below.

(2) Auditor – Team member: Minimum requirements for audit team members prior to actively participating in audits:

        -> Training of this Procedure (SOP 1012: Internal Audit Policy and Procedure).

       -> At a minimum understanding of the following regulations/standards (current version):

      -> ISO 13485 Standard and FDA Regulations (21 CFR Part 820 Quality System Regulation, 21 CFR Part 211 Current Good Manufacturing Practice for Finished Pharmaceuticals)

This requirement can be met by one of the following:

              -> Completion of Auditor Training or other equivalent
auditor training.

             -> On the Job experience (in current or previous company) in a role that includes auditing responsibilities.

Audit Experience: Experience performing audits as an auditor. This requirement can be met by one of the following:

    • Participating on at least two (2) internal audits as an auditor trainee under the direction of a qualified auditor. These audits will be documented on RF1008, Training Documentation Record.
    • Experience performing audits as an auditor in current or previous company.
  • Lead Auditor: Minimum requirements for a lead auditor prior to actively participating in audits:
    • Same as auditor requirements (section 5.2)
    • Auditing Training: Knowledge and understanding of the audit process. This requirement can be met by one of the following:
      • Completion of Lead Auditor Training or other equivalent lead auditor training.
      • On the Job experience (in current or previous company) in a role that includes lead auditor responsibilities.
    • Audit Experience: Experience performing audits as a lead auditor. This requirement can be met by one of the following:
      • Participating in at least two (2) internal audits as a lead auditor trainee under the direction of a qualified lead auditor. These audits will be documented on RF0008, Training Documentation Record.
      • Experience performing audits as a lead auditor in current or previous company.
  • Definitions
    • Effectiveness – the extent to which planned activities are realized and planned results achieved.
    • Nonconformity – a severe issue causing detrimental effects on products or control processes.
    • CAPA – Corrective and Preventive Action system.
    • Product Audit – examines a unit of production on whether it meets customer and product specifications.
    • Process Audit – examines adequacy and effectiveness of the process controls over the equipment and operators as established by procedures.
    • System Audit – examines the development and implementation of processes to meet organizational/departmental goals and objectives.
    • Audit – Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
    • Auditor – Person with competence to conduct an audit.
    • Lead Auditor – Person with competence to lead the audit team and who leads a particular audit.
    • Auditor in Training – An individual that is the process of demonstrating the requisite auditing skills.
    • Audit Program Manager –the Quality Manager or the designee to manage the internal audit process.
    • Competence – Demonstrated personal attributes and demonstrated ability to apply knowledge and skills.
  • Equipment and Computer Access:
    • The employees should have access to Qualcy EQMS system through a computer equipped with an internet browser.

6.0 Procedure

  • Creating Audit Schedule
    • The Quality Manager or the designee shall develop a yearly audit and confirm that all elements are scheduled to be audited at least once during the fiscal year.
    • Frequency may be adjusted based upon audit performance, assessments/audit findings and other Quality System metrics (Internal Failures, External Failures).
  • Audit Planning
    • The lead auditor shall notify the auditee about the audit plan ahead of time.
    • The lead auditor shall create the audit plan for the audit in the Qualcy EQMS system or the audit plan can be created in paper copies. The lead auditor is the Project Owner of the audit.
  • The audit reports detailing audit findings and recommendations shall be documented on Qualcy EQMS Audit Project or using the RF1091: Internal Audit Report Template.
  • Audit findings based on severity can be categorized as:
    • Major Non-Conformance: A failure in a process or system that potentially compromises the assurance of product quality and/or would likely be cited by a regulatory authority or customer as a significant non-compliance; an element of the Quality System improperly implemented; key records and/or evidences which cannot be properly traced leaving suspicion on their origin; previous observations classified as minor that have not been addressed properly in a timely manner by the site. Major findings require prompt corrective action by the auditee.
    • Minor NonConformance: An isolated item observed that is not yet serious, but could become a problem if not corrected in a timely manner (auditee management follow-up is required to assure that a systemic problem does not exist);
      Note: When a significant number of minor non-conformances are raised in one system area, it could be indicative of the start of breakdown in that system then the classification may be escalated to Major.
    • Opportunity for Improvement (OFI): Conditions or poor practices identified by the auditor that do not meet the definition of a nonconformance, yet if corrected may improve the overall quality management system or prevent future nonconformance. These audit findings, when addressed, will likely improve the data, documentation, and/or procedures associated with a facility, product, or operation
  • The overall audit rating shall be included for the audit. Also an audit conclusion statement shall be included in all audit reports, regardless if they are for a single quality system element or a full quality system assessment. One of the following overall statements can be used to describe the assessment of the effectiveness of the Quality System Elements.
    • Quality System appears to be in substantial compliance and appears effective. (This statement of compliance should only be used when the audit results in minor or no nonconformances).
    • Quality System appears to be in substantial compliance, but requires corrective action in some key or critical area(s). (This statement of compliance should be used when the audit results in no more than three major nonconformances).
    • Quality System has deficiencies and/or compliance issues that will require significant remediation activities to achieve substantial compliance. (This statement of compliance should be used when the audit results in more than three major nonconformances and/or one or more critical nonconformances).
  • 7.0 Audit Records:
  • Audit reports shall be published and be approved with in 30 days from the date of the audit. When NC (non conformances) are observed during the audits, the lead auditor shall notify the process owners on the day of the audit. Depending upon the severity of NC, the process owners shall initiate containment actions accordingly.
  • The approved audit reports will be maintained in the Qualcy EQMS system or using the RF1091 (Internal Audit Report Template).
  • The audit report shall include following sections
    • The list of participants or the auditee in the audit
    • The scope of the audit, which may be the processes, functional or business units.
    • The objective of the audit
    • The criteria for the audit including the relevant sections of the ISO Standard.
    • Review of the status of the audit findings from the previous audit. This may include notes regarding the effectiveness of the corrective actions implemented.
    • Audit notes and descriptions
    • Audit findings and non conformances. This section shall include the evidence that was sampled, observed, examined and evaluated. Also include reference to the criteria or requirements from the ISO standard or FDA regulations.
    • Conclusion/summary of the audit including the classification of audit findings as per section 8.2.4
    • Due date for response for the audit non conformances. The response shall include corrective action plans and due date for completion of corrective actions.
    • The records for the corrective action taken can be documented in the CAPA system, in such cases, the CAPA ref. number shall be included in the Qualcy NC Management sections. The Qualcy NC Management section shall be reviewed and approved by the lead auditor to close the audit reports. The status of the audits will be changed to Closed in the Qualcy EQMS system.
    • Follow-up audit activities will be conducted as agreed upon on the corrective action plan to verify and record the implementation and effectiveness of the corrective action taken.
  • Auditor qualification records will be kept in the auditor training files.

7.0 Risk Management

HazardRisk control measures
1.      Gaps or non-conformances are not properly identified as per ISO13485 standard.The auditor qualification records shall be reviewed and approved prior to the assignment of the audits. The audit checklists will be used by the auditors. The audit approvers shall review the checklists for completeness when reviewing the audit reports.
2.      The audit conformances are not properly classified as per ISO13485 standard.The auditors will be trained in this SOP, which has the definition for the classification of the non- conformances.
3.      The audit non-conformances are not addressed in timely manner.The internal audit results and metrics will be reviewed in management review meetings. The management team will be responsible for the follow ups.

8.0 Metrics and Reports

  • The metrics and reports for evaluating the effectiveness of Internal Audit processes shall be prepared and presented to Management.
  • The reports shall include at minimum
    • Number of audits completed vs. the audit plan
    • Number of NC (non-conformance) found, classification of NCs by process areas
    • Number of overdue NC (if any)
    • Trend for NCs by process areas
Sanjay Dhal

Sanjay Dhal

Quality and Regulatory Management Professional with more than 20 years experience in Quality System, Quality Engineering, Supplier Quality Management, Regulatory Compliance and Operational Excellence in the Life Science industry. Strong knowledge and expertise in the FDA Regulations including 21 CFR 820, 21 CFR 210, 21 CFR 211, 21 CFR Part 11 compliance requirements. Sanjay has been a trusted advisor for many Medical Technology and Life Science companies. Sanjay is a recognized leader in the QMS area and holds following certifications from American Society of Quality (ASQ). * Certified Six Sigma Black Belt (CSSBB), Certified Quality Engineer (CQE), Certified Quality Auditor (CQA)

Leave a Reply

Your email address will not be published. Required fields are marked *