Understanding Medical Device Audits and Audit Reports

Pro QC International partners with clients with ease and shares in their success.

The medical device industry must produce safe and effective products to diagnose and treat disease. Each year, industry requirements become more stringent as regulatory bodies, standards organizations, and patients expect more in safety and effectiveness.

Medical device manufacturer audit

To help device manufacturers meet these ever-increasing needs, Pro QC International serves as a third party audit company and provides a suite of supplier and factory audits against each of the most critical regulations and standards. The following article will explain the types of device manufacturer audit, the applicable standards and regulations, and what to expect in Pro QC’s high-impact audit reports.

Types of Device Manufacturer Audit

Regulatory Audit

A medical device manufacturer must abide by the laws of the country in which it operates and in which in markets and sells its products. Because medical devices are often invasive in the body (such as a blood contacting catheter) and influence treatment decisions (such as a finger prick blood glucose check device), they are subject to stringent regulations governing their development, testing and marketing.

A regulation is a standard with the force of the law behind it. This means that a company that does not follow a regulation can expect legal and financial penalties, including jail time (in the most egregious cases), import bans, and revocation of the license to operate and sell.

In the US, the Food and Drug Administration (FDA) enforces laws related to medical devices. The FDA’s mission is to protect public health. In Europe, a regulatory framework comprising individual countries and the European Union enforces medical device laws. In many small or developing countries, the local government will require compliance with international standards or a process developed by the World Health Organization (more on standards below) instead of developing their own set of complex regulations.

A regulatory audit has one of three objectives: routine surveillance of device manufacturer operations; assessment of the device manufacturer’s operations before granting approval to market; and for-cause inspections because the regulator felt the need to investigate for a possible violation.

A regulatory audit is extremely important because of the potential consequences involved.

Third Party Audit

A third party audit is one conducted by an organization that is outside the customer-supplier relationship, and therefore independent. This audit may help the customer attain a certification, registration, or recognition.

The primary strength of a third party audit is the independence of the auditor. This aspect of the relationship allows them to practice objectivity and detachment when writing up findings, and to hew more closely to the standard instead of the particulars of the customer or supplier’s culture and customs.

In an ISO 13485 audit an independent “registrar” company (not the standards body ISO itself) will visit the client’s site, examine records and processes, tour, interview personnel and management, and provide an audit report assessing compliance to the medical device quality management system standard. The auditee will generally have time to address findings before the follow up audit. During the follow up audit they are checked again for whether they fixed any nonconformances to the standard. Then, a successful audit will result in an ISO certificate, with the full promise and integrity of the third party auditor behind it.

Supplier Audit

A supplier audit is how a client company assesses the quality and effectiveness of their supplier. For example, suppose a device manufacturer manufactures a lateral flow pregnancy test. This device is a seemingly simple strip where a line appears to indicate pregnancy. This device manufacturer will want to closely examine the quality system of the suppliers of the antigen, sample pad, wicking pad, and nitrocellulose membrane.

A device manufacturer will generally rank their suppliers by risk. In fact, this risk based approach is an ISO 13485 requirement. The suppliers that provide the highest risk components (such as antigen) will need a higher level of scrutiny than the suppliers of the packaging or case.

What Do You Audit Against?

“Audit” is usually synonymous with “inspection.” Inspection involves comparing the actual condition to the ideal (i.e. to the standard).

So, what exactly does an auditor compare a medical device manufacturer to when auditing their quality system and operations? The answer is generally regulations, standards, and internal and supplier requirements.

Regulations

Auditing against regulations means comparing operations to the law of the land. The US Code of Federal Regulations (especially 21 CFR Part 820) addresses how medical device manufacturers must establish a quality system, which is a set of policies and procedures that ensure the company produces safe and effective devices.

A device manufacturer marketing products in the EU will need to meet the regulations in the European regulatory framework, especially the evolving Medical Device Regulation (MDR). A device manufacturer marketing products in Australia, Japan, Canada, etc. will have to meet these countries’ regulations and will want thorough auditing against these regulations before applying for approval to do so.

Standards

What if a patient’s blood pressure was measured high on Company A’s device, and normal on Company B’s device? That would be a problem! A standards body develops technical specifications, best practices, and agreed-upon frameworks to help organizations all over the world speak the same technical language and achieve uniformity in important areas.

The most widely adopted international standards body is the International Organization for Standardization (ISO). Their standard on the quality management system for medical device manufacturers, ISO 13485:2016, is used by device manufacturers worldwide.

Internal/Supplier Requirements

A device manufacturer will generally rank suppliers from critically important to low-risk. The critical suppliers warrant exhaustive auditing, inspection, verification and vigilance. The customer will often visit the supplier’s factory, examine their records, expect third party certifications, and a clean regulatory enforcement record. The customer will develop written requirements and supplier agreements, and audit the supplier against these.

Major Audit Examples: ISO 13485 audit and GMP 21 QSR 820 audit

ISO 13485 audit

ISO 13485:2016, according to ISO’s site, “specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.”

Essentially, understanding and carefully implementing the requirements in this standard will help a medical device manufacturer to consistently produce safe and effective products while achieving continuous improvement.

Considering its wide scope, ISO 13485 is remarkably concise. But meeting the standard (a process called registering) is not simple. To get there, most medical device manufacturers will hire a third party audit service and possibly one or two follow up audits to ensure full compliance before entering the certification process.

GMP 21 CFR 820 audit

The US FDA enforces Good Manufacturing Practices (GMP) set forth in the Code of Federal Regulations (CFR). Title 21, Part 820 describes the Quality System Regulation. This may sound arcane and complicated, but the actual language and intent are straightforward: establishing in the law a framework that ensures device manufacturers consistently produce safe and effective products.

Pro QC’s offerings

As a medical audit provider, Pro QC provides a range of supplier quality audits for device manufacturers:

  • New Supplier Evaluation and Quality Audit
  • PPE Supplier Verification
  • ISO 13485 Quality Management System Audit for Medical Devices
  • ISO 11137 Sterilization Process Audit
  • GMP 21 QSR 820 audits for Medical Device
  • ISO 9001 Quality System Audits
  • ISO 14001 Environmental Management System Audits
  • Includes ISO 14644
  • Corporate Social Responsibility Audits
  • Combined Audits

 

All are carried out with the objective of helping the client meet the regulatory requirements, standards and supply chain needs described above.

What to expect during the audit

Depending on the audit, you can expect: an in-person inspection and observation of operations; an examination of records and quality system documents; interviews with staff; and an opening and closing meeting to discuss the audit scope and any preliminary findings. A social audit will not involve quality system documents, but an ISO 13485 audit will involve an extensive look at these documents.

What to expect from the audit report

Expect a prioritized list of recommendations, a clear outlining of strengths and opportunities for improvement, and a detailed breakdown of findings. Findings are organized according to the applicable requirement. Each finding is color coded and scored, and is linked to objective evidence examined during the audit.

Pro QC’s report will include the risk level of the supplier, the compliance level to the standard and recommendations.

Review Sample Reports

Learn more about Pro QC’s Quality System and Compliance Audits here. Click here to review sample audit reports and see world-class reporting for regulatory compliance, adherence to standards, supplier development and vendor compliance.

Medical Device Manufacturer Audits by Pro QC

The world of medical device standards and regulations can seem daunting, but it need not be. Pro QC partners with clients for effective auditing and reporting. Medical device clients will find an experienced partner ready to share in success and lead to breakthrough improvement in their quality systems and production.