Very early in my career leading Quality and Regulatory teams in medical device companies, I came to appreciate the value and importance of conducting constructive well planned Internal Audits of the Quality Management System. I would encourage the audit team to find nonconformances, and how it was far better for us to find noncompliance?s so we could fix them before an external auditor discovered them, and how much better that was for so many reasons.
For a mature quality system that has gone through many internal and external audits the expectation should be that not too many findings would be found, and they may only be of a minor nature. However for a start-up medical device company it may well be a different picture and more findings can be expected. It is fairly normal in my experience, for a quality system that has not had time to mature and conduct many, if any, internal audits, that more findings can be expected, and including occasionally a few that fit the mature category.
But again this is OK and provides the opportunity to fix any finding found before external audits find the gaps. This includes early audits held during the QMS implementation and before the certification audit.
In this article I want to cover the requirements of internal auditing as well as provide what I have found to be some best practices to help make your audits constructive.
The benefits of conducting internal audits include the following:
Before we move into looking at the audit process as shown in the diagram below, let?s take a look at the regulatory requirements under the ISO 13485:2016 as well as FDA.
Internal Audit requirements to meet ISO 13485:2016 Section 8.2.4 and FDA 21 CFR Part 820.22
ISO 13485:2016 section 8.2.4 Internal audit:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results.
An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods shall be defined and recorded (see 4.2.5). The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
Records of the audits and their results, including identification of the processes and areas audited and the conclusions shall be maintained (see 4.2.5)
?????????
The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include verification of the actions taken and the reporting of verification results.
Note: Further information can be found in ISO 19011.
FDA 21 CFR 820.22 Quality audit:
Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.
You should have a dedicated documented procedure for Internal Audits as well as support forms i.e. Audit Plan and Audit Checklist.
The procedure should outline the purpose and scope of Internal Audits as well as applicable Quality Standards and Regulations. Also describe the roles and responsibilities of employees involved in the audit process and a step-by-step description of the audit process.
Best practice is to have an audit checklist that covers all elements of the quality management system. The checklist should also have space for the auditor to add notes during the audit.
See sample of a checklist below.
At the risk of repeating myself, but again I would like to really emphasize the purpose of the internal audit is to look closely at your quality management system and to find any gaps and to find opportunities for improvements. At the end of the audit process, including fixing any gaps you should have confidence that you can face an external audit without major issues and your quality system is robust and meets intended purpose.
As a process owner, it can be very helpful to step away for a moment and allow a second set of eyes to look for opportunities you may have missed. The goal is not to criticize, but rather to find ways to streamline processes so that they work more efficiently.
So here are the five key steps in the internal audit process, plus some recommendations on how to best use this process to the advantage of your company.
Internal Audit planning is a requirement of ISO 13485:2016:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system: ??
An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits.
I have always found that its good practice to have 2 parts to this audit plan, with a master plan showing when in a 12-month period the internal audit(s) will occur, and a detailed audit plan released a week or two prior to the actual audits.
The master plan would also include planned dates for Management Review and any known scheduled external audits. Sometimes it may be a good idea to adjust slightly the timing of internal audits around these other events. The audit master plan should be approved along with any changes. See below for sample section of a master audit plan template that you would customize to suit your quality management system and appropriate market and regulatory requirements.
The audit plan should consider the following:
For a start-up company or a small to mid-size operation this may not be a concern as a single trained lead auditor may be sufficient to handle the audit. However for larger sites it may require a team of auditors.
Lead auditor requirements should include:
Audit team member requirements:
A best practice recommendation I can make based on experience is that it is sometimes good to involve some other key staff members in the audit and above and beyond what may be the requirement to cover the scope of the audit. They can be observer?s accompanying the auditors or can actually perform audits on some of the low-risk areas. This can provide experience and knowledge to them and helps to promote the overall companies commitment to quality.
Ok, the audit is planned, scheduled, the audit team is prepared, and now it?s time to conduct the internal audit. Here are the key steps involved along with some general guidelines.
Record Review:
Many sections of the audit will require a sampling review of actual records and should include:
Internal Audits are based on sampling and not all records or reports can, or will, be reviewed during the audit. Focused Audits can be conducted in the appropriate areas such as Design Controls, Risk Management, Process Validations, Training, CAPA and Customer Complaints.
Closing Meeting:
Most internal audits unless it?s a very focused area audit will take several days and so a daily wrap up meeting should be considered as appropriate, to make sure any issues have been communicated with those responsible for those areas. When it comes to the closing meeting there should be no surprises.
???Final thoughts:
Internal audits can be one of the most valuable and constructive activities you can perform to find any gaps in your quality management system, make improvements, and to help ensure patient safety and company compliance.
All participants in the audit need to act in a professional manner, be open and honest and consider it a team effort to improve the quality system.
Internal audits should never be a check-box activity, limited in scope, unannounced, or carried out in a judgmental and antagonistic manner. Use the internal audits and the way you conduct them as a type of training and practice for external regulatory audits from the FDA or other regulatory audit bodies.
Follow-up on any audit findings in a timely manner and give high priority to any major findings. Not good to have external audits discover the same findings you found during your internal audits but did not fix or they were not effective.
Do not have auditors conduct audits in their own areas. Ensure auditors are trained and familiar with the documented audit procedure.
Want to learn more about Fast-Track QMS Consulting and the document bundles and consulting services we can provide, including a proven, Internal Auditing, procedure and supporting templates. We can also help you with internal audits.
We can also offer related procedures for Internal Auditing including; Corrective and Preventive Actions, Risk Management, and Management Review.
Our complete Turnkey Document Bundle includes 50 procedures and supporting form templates that cover all elements of ISO 13485:2016. These procedures include meeting FDA 21 CFR 820 requirements. Also we can assist with consultation on any part of your ISO 13485:2016 implementation, from planning, through each implementation step and final certification, or help with any part of your quality management system to suit your needs.
???????