ISO 19011:2018 Changes: How They Impact Medical Device QMS Auditors

Management system standards such as ISO 13485:2016 define the requirements that auditors are reviewing for conformance – the what – but they don’t get into the details of how to audit against them. ISO 19011, on the other hand, does just that – it provides a methodology to guide auditors in doing their work by adding further context and guidance.

ISO 19011 was previously updated in 2011. Since then, the practice of auditing has evolved in the ways that audits are managed, planned, and executed. ISO 19011:2018 reflects current best practices in auditing management systems of all types and today’s lead auditor needs to be keenly aware of the key changes it introduces.

Here are some of the most important changes that medical device industry lead auditors should know.

The “Risk-Based Approach” Has Been Added as a Principle of Auditing

Experienced lead auditors know that traditionally there have been six basic tenets of auditing based on the following concepts.

1 – Integrity

2 – Fair presentation

3 – Due professional care

4 – Confidentiality

5 – Independence

6 – Evidence-based approach

ISO 19011:2018 adds a seventh principle focused on using the risk-based approach in auditing:

7 – Risk-based approach

The definition of risk presented in ISO 19011:2018 aligns with the concept of risk-based approach in ISO 13485:2016 clause 4.1.2(b). This ISO 13485:2016 requirement instructs organizations to apply a risk-based approach in deciding how to control their QMS processes. ISO 19011 follows a similar tack in suggesting the application of risk-based measures across all aspects of auditing – from your overall audit program management through the planning and performance of an individual audit and into auditor competence.

Auditors in the medical device industry will certainly be familiar with this emphasis on risk. The FDA and EU regulators have been promoting a risk-based approach for years, but ISO 19011:2018 reinforces its importance across industries in all types of management systems by elevating it to a core principle. In doing so, ISO is encouraging auditors to place more emphasis on risks in planning and conducting audits. The resulting risk-based audit focus should increase the value of audits to an organization by providing actionable information about where significant risks exist in the QMS.

More Competence Expected of Auditors

ISO 19011:2018 takes on the topic of auditor competence more directly than the 2011 edition of the standard.  ISO 19011:2011 housed information on suggested competence measures in an Annex, but that information has been moved up to the normative clauses for the 2018 revision. This auditor evaluation guidance is especially helpful as a reference for medical device auditors and audit program managers who must determine how they can demonstrate auditor competence to regulatory authorities and third-party auditors in the context of the ISO 13485:2016 clause 6.2 requirements for personnel competency.

The standard outlines expectations for auditor knowledge and skills, as well as for achieving competence through ongoing experience and audit delivery. Specific guidance is also given for ways to measure and demonstrate the competence of an auditor, including to consider audit experience, audit versatility, certifications earned, report accuracy and completeness, report timeliness, and auditee/client feedback.

The 2018 version of the standard discusses the importance of considering the competence of the entire auditing team in addition to just an individual auditor. The standard notes that any member of the auditing team should be competent to speak authoritatively with executives within their own company. Thus, communication skills and conducting oneself in a management setting are important, specific competence requirements for all auditors. 

More Emphasis on Audit Planning and Process Approach

Audit planning takes center stage in ISO 19011:2018 and ties in nicely with the emphasis on the risk-based approach. The best way to address a risk is to plan for it! ISO 19011 guides you to consider the risks that may endanger an individual audit from being completed or achieving its objectives. What could prevent you from completing your audit as planned? Travel issues? Language barriers? The standard prompts you to think about these risks and add elements to your audit plan to mitigate or eliminate them.

The same risk considerations should be made in planning your overall audit program. In other words, specifically for the medical device industry, if the objective of the overall audit program is to ensure your QMS is appropriately designed to meet your customers’ needs and any applicable regulatory requirements, what steps or tools can you build into your overall auditing process to make sure that happens?

Also, when it comes to planning your overall internal audit program, remember that you do not have to plan a single two-week, two-person audit to review your QMS, like MDSAP audits are designed. Mini or individual QMS process audits are perfectly acceptable to achieve the goal. It’s also perfectly acceptable – and in some cases might be encouraged – to audit a single QMS process more than once during the full audit cycle. That concept is important to realize in audit planning, especially for the higher-risk processes in your organization. Think of this approach as asking a question two different ways at two different times to see if you get the same answer.

Finally, an important change in ISO 19011:2018 is that it now reflects the “new normal” in internal auditing – a move from element-based auditing to a methodology that emphasizes the interrelationships between processes. Anyone who has experienced an MDSAP audit or FDA QSIT inspection can certainly appreciate the relevance of this change. The standard discusses the importance for an auditor to review not just conformance of a management system against individual, specific requirements of a standard but also to audit the conformance of the connections among all of the related processes against requirements. This audit of the connections between and among processes is where the auditor usually can collect the most valuable evidence to determine the effectiveness of the overall management system.

Want to Learn More?

Since 1968, Oriel STAT A MATRIX has trained more than 130,000 auditors and conducted thousands of quality system audits. We offer auditor training for ISO 13485, MDSAP and EU MDR; our experienced auditor consultants can also provide outsourced audit support.

Get answers right now. Call