Internal Audit Requirements - All clauses and subclauses covered over the audit cycle

R

Robert Soares

I am new to the ISO 13485 Standard, by recently joining a company that upgraded in September to the 2003 standard. My background is mainly in automotive (TS 16949) which requires each clause (and subclause) of the standard be covered within the internal audit cycle (typically 1 year). For instance, I would need to show evidence that subclause "7.5.3.3 Status Identification" was covered during my internal audit cycle. Is this a requirement in ISO 13485, that all clauses and subclauses be covered over the audit cycle, and that there is documented evidence to support it?

Any help is appreciated.

Bob Soares
 

Al Rosen

Leader
Super Moderator
No, what's required is a process approach. What I have done is identified the processes and the applicable clauses of the standard. We then audit the processes. Those processes that require additional attention are audited more frequently, but each is audited at least annually.
 
R

Robert Soares

Internal Audit Requirements

Al,

Thanks for the quick response. In TS, the auditors expect to see in the audit report and/or checklist that each and every subclause (or process identifier as they call them) were audited within the cycle. Sounds like in ISO 13485 as long as the processes have been identified and audited once during the cycle we should be ok?

However, I wasn't here at the time, but the 3rd party auditor wrote a nonconformance that there was no evidence that Risk Management under 7.1 was completed. Doesn't this suggest that he was looking at specific clauses to be covered, or does Risk Management need to be an identified process?

Bob
 

Randy

Super Moderator
Regardless of system or scheme it must be shown by every organization that every "shall" has been met as required. The only way the verify this is to audit the processes established to meet the "shalls".

Figure it out from there.
 

AndyN

Moved On
Hey Robert.........

I'm thinking you're the victim of an old legend about "all clauses etc being audited".:nope: This isn't an ISO standard requirement, only one from the registrars.:yes: The history (for what it's worth) is that when going for certification/registration the organization didn't want to get a boo-boo for a part of the requirements being missed, so it was recommended by the registrars to do a complete cycle of audits - i.e.all 'elements' etc.

It may have become a legend in their minds too, since many external auditors still expect that, however, by taking a process approach, you can cover many requirements all during the same audit. I use the following file to show this to my auditor clients.

Enjoy!
Andy
 

Attachments

  • basicfootball.ppt
    45.5 KB · Views: 668

Al Rosen

Leader
Super Moderator
Robert Soares said:
Al,

Thanks for the quick response. In TS, the auditors expect to see in the audit report and/or checklist that each and every subclause (or process identifier as they call them) were audited within the cycle. Sounds like in ISO 13485 as long as the processes have been identified and audited once during the cycle we should be ok?

However, I wasn't here at the time, but the 3rd party auditor wrote a nonconformance that there was no evidence that Risk Management under 7.1 was completed. Doesn't this suggest that he was looking at specific clauses to be covered, or does Risk Management need to be an identified process?

Bob
It can be, but I think you can do it other ways as well. You can identify the risk management activities within other processes such as design. Be sure to base it on ISO 14971.
 
R

Rob Nix

Thus showing both the pros and cons to "Process Oriented Auditing".

At your original desk audit and/or registration audit you establish that your system, which is made up of a number of your internal processes, meets the standard (all of the "shalls"). From that point forward, you can audit - in a "processy" sort of way - all of your internal processes (as documented in your procedures, et al). If you've audited and found no major problems with your adherence to all of your internal procedures, then by extension you've met all the "shalls" in the standard.

Of course your Quality guy/gal should periodically check to make sure that over time, as revisions to the system are made, that no "shall" gets inadvertantly dropped from the QMS.

If a registrar auditor discovers during an audit a seeming lapse in a certain practice, he can find the "shall" and ask for evidence. Then it is up to you to find where in your system you address it and provide evidence of conformance/non-conformance.

NOTE: "Process Auditing" does not replace "audit every clause"! You cannot rightfully be said to be conforming to the standard if you're not certain each clause is addressed. Sure, the METHOD for auditing is not a checklist of clauses like before, but the "processes" checked will, and must, pass over the same ground.

:soap:
 

Al Rosen

Leader
Super Moderator
Robert, take a look at the matrix I've attached. You can fill in yourprocesses along the top and check-off the clauses that apply to each process. The utility of this should be evident.
 

Attachments

  • ISO 13485 Process Matrix.doc
    54 KB · Views: 2,553
Last edited:
M

MikeL

Anything to help the registrar

I like the idea of the matrix that Al has put up as trying to pursuade the registrar that you have in fact covered a particular clause can be difficult.

It does remind me that process based auditing is different for every organisation.

With one of my clients we don't audit purchasing as a separate item as each manufacturing cell looks after their own.

It also reminds me that anything you do to make it clearer to the registrar makes it clearer to yourselves.
 

AndyN

Moved On
I'd like to suggest a different tack.......

that a boiler plate set (checklist) of requirements, based on the specific scope and criteria being audited, which should include the applicable requirements from the Std, is drawn up to give the auditor some guidance as to what to verify.:read:

This method would negate the overall audit calendar/annual plan from showing 'all clauses' were covered, which isn't the intent of the audit scheduling requirement.

So, in effect, the scope of the audit is a process (Duh!) and then the other supporting criteria are also included, at the appropriate step. If you look at my file attachment from an earlier post (the 'football') it should help to visually depict this method. I've used it with one or two clients to good effect (- they might even post a qualification here) and it shows (I believe) how efficient a process audit using this technique can be.:yes:

Just a thought.

Andy
 
Top Bottom