Very early in my career leading Quality and Regulatory teams in medical device companies,         I came to appreciate the value and importance of conducting constructive well planned Internal Audits of the Quality Management System. I would encourage the audit team to find nonconformances, and how it was far better for us to find noncompliance?s so we could fix them before an external auditor discovered them, and how much better that was for so many reasons.

For a mature quality system that has gone through many internal and external audits the expectation should be that not too many findings would be found, and they may only be of a minor nature. However for a start-up medical device company it may well be a different picture and more findings can be expected. It is fairly normal in my experience, for a quality system that has not had time to mature and conduct many, if any, internal audits, that more findings can be expected, and including occasionally a few that fit the mature category.

But again this is OK and provides the opportunity to fix any finding found before external audits find the gaps. This includes early audits held during the QMS implementation and before the certification audit.

In this article I want to cover the requirements of internal auditing as well as provide what I have found to be some best practices to help make your audits constructive.

The benefits of conducting internal audits include the following:

•         Provides a mechanism for checking and addressing product safety and compliance
•         Checking and monitoring QMS procedures and fixing any gaps found
•         Ensures compliance with procedures and appropriate regulatory requirements
•         Discover and implement opportunities for improvement

Before we move into looking at the audit process as shown in the diagram below, let?s take a look at the regulatory requirements under the ISO 13485:2016 as well as FDA.

Internal Audit requirements to meet ISO 13485:2016 Section 8.2.4 and FDA 21 CFR Part 820.22

ISO 13485:2016 section 8.2.4 Internal audit:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

• a)   conforms to planned and documented arrangements, requirements of this Standard, quality management system requirements established by the organization, and applicable regulatory requirements.

 

• b)   is effectively implemented and maintained.

 

The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results.

An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods shall be defined and recorded (see 4.2.5). The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

Records of the audits and their results, including identification of the processes and areas audited and the conclusions shall be maintained (see 4.2.5)

?????????

The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include verification of the actions taken and the reporting of verification results.

Note:  Further information can be found in ISO 19011.

 

FDA 21 CFR 820.22 Quality audit:

Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented. 

?Introduction:

 

You should have a dedicated documented procedure for Internal Audits as well as support forms i.e. Audit Plan and Audit Checklist.

 

The procedure should outline the purpose and scope of Internal Audits as well as applicable Quality Standards and Regulations. Also describe the roles and responsibilities of employees involved in the audit process and a step-by-step description of the audit process.

 

Best practice is to have an audit checklist that covers all elements of the quality management system. The checklist should also have space for the auditor to add notes during the audit.

See sample of a checklist below.

At the risk of repeating myself, but again I would like to really emphasize the purpose of the internal audit is to look closely at your quality management system and to find any gaps and to find opportunities for improvements. At the end of the audit process, including fixing any gaps you should have confidence that you can face an external audit without major issues and your quality system is robust and meets intended purpose.

 

As a process owner, it can be very helpful to step away for a moment and allow a second set of eyes to look for opportunities you may have missed. The goal is not to criticize, but rather to find ways to streamline processes so that they work more efficiently.

 

So here are the five key steps in the internal audit process, plus some recommendations on how to best use this process to the advantage of your company.

Audit Plan:

 

Internal Audit planning is a requirement of ISO 13485:2016:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system: ??

 

An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits.

 

I have always found that its good practice to have 2 parts to this audit plan, with a master plan showing when in a 12-month period the internal audit(s) will occur,  and a detailed audit plan released a week or two prior to the actual audits.

 

The master plan would also include planned dates for Management Review and any known scheduled external audits. Sometimes it may be a good idea to adjust slightly the timing of internal audits around these other events. The audit master plan should be approved along with any changes. See below for sample section of a master audit plan template that you would customize to suit your quality management system and appropriate market and regulatory requirements.

The audit plan should consider the following:

 

•       Cover the entire scope of your quality management system
•       Scheduling based on risk with perhaps the lead auditor focused on those higher risk areas
•       Consideration of the results from previous audits or recent changes in that part of the QMS
•       For start-up companies I would recommend more audits than just an annual audit and perform at appropriate periods during the implementation process and prior to the certification audit
•       Document the plan and circulate to department managers

 

 

 

Form Audit Team:

 

For a start-up company or a small to mid-size operation this may not be a concern as a single trained lead auditor may be sufficient to handle the audit. However for larger sites it may require a team of auditors.

 

Lead auditor requirements should include: 

•       Completion of external Lead Auditor training by recognized international body.
•       Auditing experience and knowledge of ISO 13485:2016 and other appropriate regulatory requirements.
•       Knowledge of the companies documented quality management system
•       Meet with the audit team and ensure all preparations are complete and the team is ready

Audit team member requirements:

•       Auditing training, either internal or external
•       Knowledge of ISO 13485:2016
•       Trained in the company?s internal audit procedure

A best practice recommendation I can make based on experience is that it is sometimes good to involve some other key staff members in the audit and above and beyond what may be the requirement to cover the scope of the audit. They can be observer?s accompanying the auditors or can actually perform audits on some of the low-risk areas. This can provide experience and knowledge to them and helps to promote the overall companies commitment to quality.

Conduct Audit:

 

Ok, the audit is planned, scheduled, the audit team is prepared, and now it?s time to conduct the internal audit. Here are the key steps involved along with some general guidelines.

  

Preparation:

•          Announcement of audit by Lead Auditor. Recommend at a minimum one week prior to the audit and communicated to all areas including those that may not be planned for auditing as you can never know where the audit trail may lead.                                                                                   
•          Identifying the Audit Team members and areas they will be auditing
•          Communicate Audit Dates and times
•          Provide a designated area for the audit to take place and be managed, a meeting room or suitable office. This is a central audit control and management area and of course a lot of the actual auditing will also take place on the manufacturing floor, storage areas, labs, etc.  

 

Opening Meeting:

•          Introduction of all meeting attendees as required.
•          Review of the planned audit process, schedule and required participants. Make any minor timing adjustments as required.
•          Answer any questions or concerns
•          Record of attendees
•          Remember this is a partnering team-oriented effort to benefit all

 

Initial Document Review:

•          Each auditor follows the check list as a guide
•          Starts by reviewing procedures for each section being audited
•          Document effective date and revision of procedures reviewed
•          Ensure documents are compliant with standards and scope
•          Provide supporting documentation as requested 

Record Review:

 Many sections of the audit will require a sampling review of actual records and should include:

•          Quality Control Inspection and Test records
•          Labelling and Packaging verification
•          Purchasing and approved suppliers
•          Maintenance records
•          Traceability Review
•          Sterilization Records
•          Records of Customer Feedback/Complaints
•          Document Control, retention and storage
•          Training Records
•          Process validation, design control and risk management

Internal Audits are based on sampling and not all records or reports can, or will, be reviewed during the audit.  Focused Audits can be conducted in the appropriate areas such as Design Controls, Risk Management, Process Validations, Training, CAPA and Customer Complaints.

 

Closing Meeting:

•          Lead auditor starts with a thank you to all participants in the audit
•           Rating criteria for findings
•          Summary of the audit findings
•          Clear communication and discussion of audit findings and answer any questions
•          Record of attendees

 

Most internal audits unless it?s a very focused area audit will take several days and so a daily wrap up meeting should be considered as appropriate, to make sure any issues have been communicated with those responsible for those areas. When it comes to the closing meeting there should be no surprises.

???Final thoughts:

 

Internal audits can be one of the most valuable and constructive activities you can perform to find any gaps in your quality management system, make improvements, and to help ensure patient safety and company compliance.

 

All participants in the audit need to act in a professional manner, be open and honest and consider it a team effort to improve the quality system.

 

Internal audits should never be a check-box activity, limited in scope, unannounced, or carried out in a judgmental and antagonistic manner. Use the internal audits and the way you conduct them as a type of training and practice for external regulatory audits from the FDA or other regulatory audit bodies.     

Follow-up on any audit findings in a timely manner and give high priority to any major findings. Not good to have external audits discover the same findings you found during your internal audits but did not fix or they were not effective.

 

Do not have auditors conduct audits in their own areas. Ensure auditors are trained and familiar with the documented audit procedure.

 

 

How can Fast-Track QMS Consultants help:

Want to learn more about Fast-Track QMS Consulting and the document bundles and consulting services we can provide, including a proven, Internal Auditing, procedure and supporting templates. We can also help you with internal audits.

then just click here

We can also offer related procedures for Internal Auditing including; Corrective and Preventive Actions, Risk Management, and Management Review.        

Our complete Turnkey Document Bundle includes 50 procedures and supporting form templates that cover all elements of ISO 13485:2016. These procedures include meeting FDA 21 CFR 820 requirements. Also we can assist with consultation on any part of your ISO 13485:2016 implementation, from planning, through each implementation step and final certification, or help with any part of your quality management system to suit your needs.

???????