How to conduct an ISO 13485 Internal Audit Assessment

Agenda and checklist for a third-party ISO 13485 audit

Introduction – ISO 13485 Internal Audit Assessment

What is an Internal Audit Assessment?

An Internal Audit Assessment is a formal, comprehensive comparison of the current state of an organization’s processes and procedures against a standard or regulation. The analysis will show where the organization is and is not meeting the standard. For a medical device manufacturer, an ISO 13485 Internal Audit Assessment will systematically compare the current quality management system to the requirements in ISO 13485:2016. This is the current revision of the medical device quality management system standard for medical device firms published by the International Organization for Standardization. Essentially, this analysis can be condensed into a checklist. The auditor goes through each requirement of the standard and compares it to the current state in the medical device organization. The checklist may be used as a tool for the audit, and it may be presented, along with an audit summary, as a product of the analysis. It is important to note that the Internal Audit Assessment can be applied to any organization in the medical device supply chain that needs to demonstrate the suitability of its quality management system for customer and regulatory requirements. This can include a medical device maker, supplier, external testing organization, and others.

When and why is an ISO 13485 Internal Audit Assessment needed?

Medical device organizations grow and evolve quickly. The ISO 13485 standard is updated periodically. New suppliers are brought on. All this amounts to a dynamic picture that requires continual vigilance. A medical device manufacturer may need an ISO 13485 Internal Audit Assessment when:

1. Onboarding and ensuring a potential supplier’s compliance with the standard

Medical device manufacturers increasingly rely on suppliers for specialized materials, software, packaging, and labeling. An internal audit assessment conducted at a supplier will detail where the supplier meets the ISO 13485 standard and where it does not. The results of the analysis can help buyers decide whether to do business with the supplier, work with them to resolve issues, or disqualify the supplier outright.

2. Monitoring the effectiveness of your supplier’s quality best practices

Many factories initially seem to have a high quality capability but over time their performance declines. The ISO 13485 QMS is not a one-time event. It is merely a framework that guides the organization in deploying best practices. This requires the organization and its employees/operators to follow procedures and continuously improve their own system. It is recommended that buyers should regularly perform monitoring audits on their critical suppliers.

3. Preparing for ISO 13485 certification

A second-party organization audits for compliance to ISO standards and awards the certification (or “registration” in ISO’s terminology). This is considered a high-stakes audit because the auditor serves as a registrar (or accredited certification body) that determines ISO certification status. A medical device manufacturer that has prepared for ISO 13485 certification by building its quality management system will want to comprehensively assess for gaps before proceeding with a second-party audit that could lead to certification. A third-party audit expert such as Pro QC conducts this intermediate audit or series of audits.

4. Maintaining the certification

Practices drift over time. Technology changes rapidly. And it is always difficult for an organization to examine itself with the same objectivity and detachment an outsider can apply. Thus, a medical device manufacturer with an existing ISO 13485 certification may hire a third-party audit company to verify continued compliance. This third-party Internal Audit Assessment may come before a recertification audit that establishes continued compliance.

Length of a Pro QC Internal Audit Assessment

Pro QC’s ISO 13485 Internal Audit Assessment audit usually requires two days in total for a small factory and will require an extra day for bigger operations. Reporting time is inclusive.

ISO 13485 Audit Agenda and Checklist

Pro QC will formally notify the auditee of the audit date, scope, and duration to ensure that the audit is conducted efficiently, and the checklist and report are accurate. Pro QC will indicate the members of the audit team, when the auditee can expect them, and what resources are requested (e.g., conference room, specific members of management, specific areas to tour and inspect). Pro QC will send an audit agenda that was agreed upon in advance and generally follows the following format:

1. Opening meeting
2. Facility tour
3. Quality management system
4. Product realization
5. Purchasing
6. Manufacturing
7. Quality control and assurance
8. Inspection and test equipment control
9. Closing meeting

The checklist will be followed rigorously and will be completed using objective evidence such as documents and records, conducting tours and interviews, observing production and testing, and photographing in-process and finished components.

Standard ISO 13485 audit checklist of Pro QC

The auditor will use Pro QC’s standard audit checklist as a tool that thoroughly assesses the device manufacturer’s quality management system against the ISO 13485 standard. The checklist is organized by the quality management subsystem. Within each subsystem is a set of questionnaire items reflecting specific requirements of the standard. The auditor adds objective evidence, such as the relevant clause of the manufacturer’s written procedure, a photograph, or a set of records demonstrating compliance. Nonconformance reports or CAPAs may be cited to support a finding of noncompliance with the standard. The auditor’s final report will spell out findings in plain language utilizing an actionable, prioritized format.

What does the audit checklist cover?

The checklist covers all elements of the ISO 13485 standard:

• Quality Management System

ISO 13485 states, “The organization shall document a quality management system and maintain its effectiveness in accordance with the requirements of this International Standard and applicable regulatory requirements.” One requirement of this section is that the organization will validate software. To verify this checklist item, Pro QC’s auditor will examine the validation folder for software used in the organization’s medical device manufacturing activities.

• Management Responsibility

ISO 13485 states, “Top management shall provide evidence of its commitment to the development and implementation of the quality management system and maintenance of its effectiveness” by, for example, establishing the quality policy. Pro QC’s auditor will verify this by examining the company’s quality policy. An inadequate or missing quality policy will be written up as a finding.

• Resource Management

ISO 13485 states, “The organization shall determine and provide the resources needed to,” for example, “meet applicable regulatory and customer requirements.” Pro QC’s auditor will look for evidence that personnel training needs are defined and provided, and that facility controls are in place to meet regulatory requirements.

• Product Realization

ISO 13485 states, “The organization shall plan and develop the processes needed for product realization.” This includes determining the records needed to provide evidence that the realization processes and resulting product meet requirements. To verify this requirement is met, Pro QC’s auditor may examine written procedures that define these essential records, and examine the records themselves, including facility logs, batch records, and device history files.

• Measuring, Analysis, and Improvement

ISO 13485 states, “The organization shall plan and implement the monitoring, measurement, analysis and improvement processes needed to demonstrate conformity of product, ensure conformity of the quality management system, and maintain the effectiveness of the quality management system.” This means putting in place a continuous improvement process, such as 1) a regular internal audit to detect internal issues, 2) root cause analysis to determine the underlying causes of the issues, and 3) Corrective and Preventive Action (CAPA) plans to continually improve the overall system. This approach evaluates the ongoing effectiveness of the quality management system and provides feedback about the safety and effectiveness of the product. This clause of the standard also emphasizes the requirements for control of the nonconforming products. This includes the systems needed to perform a product recall and ensure that potentially unsafe products that have been distributed will not cause harm. The clause outlines the requirements for appropriate statistical methods needed to control process and product, and the documented checks and procedures needed to release products for use. The underlying goal of Clause 8 is to emphasize the importance of a quality feedback loop, and how an organization manages their quality inputs internally (from internal audit assessments) and externally from their clients, such as customer complaints and field failure. The importance of quick reactions to quality defects, field failure, and processes to perform product recall, are closely regulated and inspected by government authorities. In Pro QC’s audit, you can expect the auditor to examine CAPA records, internal audit reports, product trending reports, and device master batch records to verify conformance with this important clause.

What is the ISO 13485 audit score?

Each area of the manufacturer’s operations relevant to the ISO 13485 standard is scored separately. This approach displays the strengths and weaknesses in the factory’s ability to comply and helps to identify areas of improvement. The separate scores are averaged in order to show the overall level of compliance. This shows the overall risk level of the factory using the following scale:

• A score of 90% or above indicates low risk
• 60%-89%, medium risk
• 59% and below, high risk.

View sample reports

Download a free ISO 13485 audit report PDF at https://proqc.com/services/sample-reports/

The ISO 13485 Internal Audit Assessment is only the first step

The Internal Audit Assessment details the organization’s level of compliance against ISO 13485. The audit gives a compliance score and a detailed report. According to the prioritized findings and results, corrective actions might be needed to reach full compliance.

About Us

Pro QC International is a global quality assurance company with deep experience in the field of medical devices and quality management. We offer a large range of quality solutions such as ISO 13485, ISO 14644, GMP 21 QSR 820 consulting, and medical product quality control inspections in 100 countries. Contact us at info@proqc.com