Here’s How To Prepare For An ISO 13485 Audit

Congratulations! You have been chosen (or perhaps conscripted) to conduct or participate in an ISO 13485 internal quality management system (QMS) audit. For many, the prospect of coordinating and conducting an audit can be terrifying. However, believe us when we say the terror subsides with each hour of planning you do. In this white paper we will talk about how you can lay the foundation to ensure that your ISO 13485 audit progresses smoothly, yielding input that’s useful to your company’s management review as well as its corrective and preventive action (CAPA) processes.

This is the first installment of a 3-part blog series on ISO 13485 auditing. We’ll talk about the basics here before moving on the tips for conducting your first audit. After that we’ll finish by talking about audit reporting and follow up activities. We’ve combined all three posts into one easy-to-read PDF. Download it here.

The Real Purpose of the Medical Device QMS Audit

Even though it seems obvious, it’s worth repeating that the purpose of conducting an audit is to determine whether the QMS conforms to specified requirements and is effective in enabling your organization to meet quality objectives. In other words, you are trying to assess whether the organization’s system says what it needs to say, that you’re doing what you say you’ll do, and that what you’re doing is working to produce the outcomes you need. A QMS audit is NOT intended to evaluate the quality of products, nor does it focus on the performance of people. The emphasis is on the QMS processes and the effectiveness of the entire system in meeting defined requirements and objectives.

Basic Types of ISO 13485 Audits 

Audits are planned, systematic processes carried out according to prepared working documents and audit plans.

ISO 13485 talks about two main components of internal audits (section 8.2.4):

• Confirming that the organization’s QMS documentation conforms to the standard and any applicable regulatory requirements – commonly called a documentation audit.
• Confirming that the organization has implemented and is maintaining the QMS documentation – commonly called an on-site audit.

While documentation and on-site audits may seem like two entirely different animals, they are not. A thorough QMS audit includes both components. The difference between the two usually is in the approach and depth to which each of these audit components is conducted. The focus of the documentation audit centers on whether the QMS has been established and documented, while the on-site audit looks at whether the QMS has been implemented and maintained.

A full QMS audit has four primary goals:

• Determine the extent to which the QMS has been established.
• Determine whether or not the QMS has been documented in accordance with applicable requirements also known as audit criteria (e.g., ISO standard, applicable regulations, contracts).
• Determine if the QMS has been effectively implemented.
• Determine whether or not the QMS has been properly maintained.

Developing Your Overall ISO 13485 Audit Schedule

A well-planned audit schedule will ensure that audits are performed regularly, are conducted according to the importance of the process and address the results of previous audits.

Developing a master audit schedule is the first step toward planning audit activities for the year.  Individual audit leaders will construct the individual audit plans to meet the schedule. An example of a master internal audit schedule is shown below. A similar one could be developed to plan your supplier audits for the year.

A typical ISO 13485:2016 internal audit will generally cover 2-4 areas of the organization each month throughout the year, depending on the size of the company.

Preparing for Your ISO 13485 QMS Audit

When planning an audit, it is tempting to skip some of the steps below and go immediately to creating a checklist and schedule. However, the process of initiating the audit is vital to the audit’s success.

Here are the steps you should take. 

• Appoint the lead auditor. The first basic step is to figure out who will lead the audit team. If you work for a small company, that might be you! This person will be responsible for all phases of the audit. 
• Define audit objectives, scope, and criteria. This is an important step. You need to define which facilities and/or departments are involved and which processes will be audited. Defining the audit criteria (i.e., ISO 13485:2016) and additional applicable regulatory requirements (e.g., 21 CFR 820 and/or EU Medical Device Regulation 2017/745) are also imperative. 
• Determine the feasibility of the audit. You need to ensure that you will be able to conduct the audit as planned. Will you have adequate cooperation from auditees? Are any of the people involved working on a major deadline that would take away from their participation? Will any of them be on vacation? Is there adequate time and budget to conduct the audit? Will all the information you need be made available to you? Don’t assume. Verify.
• Select the audit team. If your company is small, you may comprise the “team.” If your company has more than, say, 150 employees, insources design, makes high risk-products, etc., it is possible that you may need 2+ auditors on your team. In selecting the audit team members, consider which competencies are needed, how long your audit will last, the scope of the audit, and time constraints. The first rule of auditing is that an auditor cannot examine an area for which he/she is responsible.Regarding competence, consider this example: An auditor who needs to interview management regarding management processes (e.g., resource processes, results processes, etc.) should have some minimal business experience. An auditor who needs to verify process or product measurements may need to have knowledge of quality and statistical tools. That’s why ISO defines competence in terms of education, training, skill, experience, and personal attributes.
• Establish initial contact with the auditee(s). With a lead auditor chosen, the team determined, the scope defined, and other factors considered, it’s time establish contact with your auditees. Make sure affected members of your organization (or your supplier) understand the scope of the audit you are conducting, when the audit will be conducted, and who is on the team. Request access to all relevant documents and, if you are auditing a supplier, ask for a map or sketch of their facility that has the departments clearly labeled.

Conducting a QMS Documentation Review

The purpose of the documentation review is to determine whether or not the QMS has been established and documented. Accordingly, where possible, try to review all documentation before the on-site audit activities commence. This will help you prepare for the on-site audit effectively and efficiently. Typically, auditees are required to submit a quality manual and procedures before the on-site audit.

The documentation should cover relevant information regarding the QMS (e.g., scope, exclusions that may exist) and any additional requirements beyond ISO 13485 and applicable regulatory requirements (e.g., customer requirements and/or supplier agreements). It should represent the documented quality management system as required by ISO 13485 in paragraphs 4.2.1 and 4.2.2 or other applicable criteria. If you are auditing a supplier, sometimes it might not be possible to get the quality manual ahead of time for proprietary reasons. If that’s the case, allocate time for a review at the beginning of the on-site audit. Organizational charts are helpful, so make sure you get a copy.

In addition to the manual and procedures, review:

• Promotional literature and website pages
• Previous audit findings and status of corrective actions
• Supplier agreements (if auditing a supplier)

Role of the Lead Auditor

Every audit has a lead auditor – even if it’s the only auditor! This person represents the team in communication with the auditee and management. The lead auditor also defines the requirements of each audit assignment, including qualification of other audit team members. Here are some of the lead auditor’s additional responsibilities:

• Plan the audit.
• Assign audit responsibilities to each audit team member.
• Make effective use of resources during the audit.
• Organize and direct audit team members.
• Provide direction and guidance to auditors in training.
• Lead the audit team to reach conclusions.
• Prevent and resolve conflicts during the audit.
• Prepare and complete the audit report.

Creating the QMS Audit Plan

Starting an on-site audit without a detailed plan is a surefire way to waste a lot of time, frustrate a lot of people, and leave without generating useful output. In an ideal world, you should spend 2 hours planning every hour of audit time. A detailed audit plan should cover:

• Audit objectives and scope
• Audit criteria and reference documents
• Locations, dates, times, and duration of audit activities
• Audit method to be used, including the extent of sampling
• Roles and responsibilities of the audit team members, guides, and observers
• Allocation of appropriate resources to critical areas of the audit
• Logistics and communications arrangements (usually for supplier audits)

This is an example of an internal audit plan for a single internal process.

This is an example of an ISO 13485:2016 audit plan for individual processes. It also shows the ISO 13485:2016 clauses that would typically be relevant for each process.

Creating Your Working Documents

An essential part of the audit planning stage involves preparation of the working documents. You’ll usually do some of this in parallel with the documentation review portion of the audit, which will give you information about specific topics and information paths to follow during your on-site audit.

Working documents typically include checklists, audit sampling plans and forms for recording meeting attendance, audit evidence, and audit findings (corrective action reports, nonconformity reports). Checklists are good tools, as they save valuable time and ensure that important items are not missed during the audit. It is worth spending time on these, because checklists can be adapted for use in other audits and improved based on your experience over time. Just remember: As you’re auditing, don’t use checklists like a script; instead, consider them only as a guide. Also, don’t forget to safeguard and treat your audit documents as confidential or proprietary at all times.

Notifying Your Auditee

The final step in the preparation phase is to confirm the audit details with your auditee. This correspondence comes from the lead auditor and must follow company procedures and address all points from any previous phone discussions, meetings, or emails. The notification must confirm the date, time, and place of the opening meeting and include the audit plan and proposed schedule/agenda. (Optionally, you could include a copy of your checklists if they will aid understanding, but there are pros and cons to doing so.) The purpose of this notification is to ensure there are no misunderstandings.

A detailed audit plan will be very specific about times, participants, and process areas.

Want to learn more about QMS auditing to ISO 13485:2016?

In our next post we will talk about how to conduct the audit itself, including a look at how to set the tone in the opening meeting, conducting the actual audit, and wrapping things up in a closing meeting. If you would like to learn (a lot) more about ISO 13485 auditing, we offer intensive internal auditor and lead auditor classes in cities throughout the US or in a virtual instructor-led format.

US OfficeWashington DC

1.800.472.6477

EU OfficeCork, Ireland

+353 21 212 8530