ISO 13485 Audit Questions - Internal Auditor Training and other Requirements

mlaurie · Mar 11, 2015

I looked through our blogs but could not find an answer.

We recently completed a surveillance audit, 3-11-15, from our CB. Although we did not receive an NC, he claims that: (#1) I, as the Manager Rep, have jeopardized the internal audit process because, 5.5.2 a) states that ?ensuring the processes needed for the QMS are established, implemented and maintained?. Meaning any internal auditing I do is essentially auditing my own work.
#2) any internal auditors trained to 9001 are not qualified for 13485 medical audits.
There is some validity in 2 but they can audit common/similar areas of the system. Does anyone have any input on this?

Also: Is there a data base somewhere for qualified auditors that conduct in-house auditor training? We have 9 people in-scope and top management will not pay $10K to fly trainers in from our CB.
Thanks
Sarasota Mike

AndyN · Mar 11, 2015

mlaurie said:
I looked through our blogs but could not find an answer.

We recently completed a surveillance audit, 3-11-15, from our CB. Although we did not receive an NC, he claims that: (#1) I, as the Manager Rep, have jeopardized the internal audit process because, 5.5.2 a) states that ?ensuring the processes needed for the QMS are established, implemented and maintained?. Meaning any internal auditing I do is essentially auditing my own work.
#2) any internal auditors trained to 9001 are not qualified for 13485 medical audits.
There is some validity in 2 but they can audit common/similar areas of the system. Does anyone have any input on this?

Also: Is there a data base somewhere for qualified auditors that conduct in-house auditor training? We have 9 people in-scope and top management will not pay $10K to fly trainers in from our CB.
Thanks
Sarasota Mike

Your auditor is talking rubbish, frankly! (if what you post is accurate). You are NOT auditing your own work, unless you actually TOUCH it. The QMS isn't YOUR work. Good grief! Why would anyone cite that, when it's in 8.2.2, either, is beyond me!

Also, YOU determine "competency" for your auditors. Frankly going to ANY course doesn't make ANYONE competent - again, the auditor demonstrates a complete lack of competency themselves in saying so! No, ignore them, and call your CB and tell them you don't appreciate such "off the cuff" comments, which are both unwarranted and unwelcome. Ask them to NOT send back the auditor next time - maybe consider also changing CBs...

Marcelo · Mar 11, 2015

(#1) I, as the Manager Rep, have jeopardized the internal audit process because, 5.5.2 a) states that “ensuring the processes needed for the QMS are established, implemented and maintained”. Meaning any internal auditing I do is essentially auditing my own work.

Theoretically, he?s right, but I don?t see this NC being raised often (I do raise them, thought

).

The requirement for auditing is not that you must not audit your own work, but to have freedom from responsibility for the activity being audited.

The management representative is required by the standard to be responsible for the whole quality system, so in practice if you are the management representative, you cannot audit the system in any way.

#2) any internal auditors trained to 9001 are not qualified for 13485 medical audits.

This is also correct.

AndyN · Mar 11, 2015

Marcelo Antunes said:
Theoretically, he?s right, but I don?t see this NC being raised often (I do raise them, thought ).

The requirement for auditing is not that you must not audit your own work, but to have freedom from responsibility for the activity being audited.

The management representative is required by the standard to be responsible for the whole quality system, so in practice if you are the management representative, you cannot audit the system in any way.

This is also correct.

I don't believe you are correct! The "work" referred to isn't the QMS at all! If this were the case, about 70% of implementations would be non-compliant. As for someone trained in ISO 9001 vs 13485, where is it a requirement in either standard that any auditor has to be trained in a standard?

Marcelo · Mar 11, 2015

I don't believe you are correct! The "work" referred to isn't the QMS at all!

From ISo 19011:

3.1
audit
systematic, independent and documented process for obtaining audit evidence (3.3) and evaluating it objectively to determine the extent to which the audit criteria (3.2) are fulfilled
NOTE 1 Internal audits, sometimes called first party audits, are conducted by the organization itself, or on its behalf, for management review and other internal purposes (e.g. to confirm the effectiveness of the management system or to obtain information for the improvement of the management system). Internal audits can form the basis for an organization?s self- declaration of conformity. In many cases, particularly in small organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited or freedom from bias and conflict of interest.

If this were the case, about 70% of implementations would be non-compliant.

I think they are, but nobody seems to care.

As for someone trained in ISO 9001 vs 13485, where is it a requirement in either standard that any auditor has to be trained in a standard?

Nowhere, but if you are auditing ISO 13485, how can you audit if you do not know ISO 13485? Would it be ok to audit ISO 13485 if you only know ISO/TS 16949: 2009?

Anyway, I think what the OP meant is that someone with only and ISO 9001 background cannot , in principle audit ISO 13485 requirements, and that?s what I agreed with (not related to courses of anything).

AndyN · Mar 11, 2015

Marcelo Antunes said:
From ISo 19011:

I think they are, but nobody seems to care.

Nowhere, but if you are auditing ISO 13485, how can you audit if you do not know ISO 13485? Would it be ok to audit ISO 13485 if you only know ISO/TS 16949: 2009?

Anyway, I think what the OP meant is that someone with only and ISO 9001 background cannot , in principle audit ISO 13485 requirements, and that?s what I agreed with (not related to courses of anything).

That's a completely bizarre interpretation of both what ISO 19011 guides and the requirement to not audit your own work! How would a very small company exist, if someone couldn't audit a process they participate in - unless they avoid auditing the work they actually touched! The QMS isn't the QA mgr (or Mgmt rep's) "Work". Someone else implements it, don't they?

Also, internal auditors don't need to know a standard to be able to perform an internal QMS audit - if they did, it would state so - and only ISO/TS 16949 makes that a clear requirement...(it may be in AS, I can't remember and it's a sector scheme, not an ISO)

Marcelo · Mar 11, 2015

As I mentioned, the requirement is not "not to audit your own work", but "not to audit an activity your are responsible for".

Responsability is different from who does "work". It?s related to accountability. So yes, people implement the system, but due to the requirement of the standards, the management representative is accountable (responsible) for the whole system.

Also, related to the QMS auditing, I didn?t say that you need to know the standard to audit a QMS, but one requirement from the standards is that you need to audit the requirements form the standards, so I don?t think it?s possible if you don?t know the standard. Anyway, I still don?t think this is what the OP mentioned.

Marcelo · Mar 11, 2015

Oh, sorry, you were talking about the requirement "Auditors shall not audit their own work" (I think I?m still jet-lagged

). Yes, this is also true, but in a more general way, as described in 19011, the impartiality is related to responsibilities. I?ve always thought that that requirement is a bit misleading the way it?s phrased and, if you note, the draft revision removed this requirement and points to ISO 19011 so they will really correct that mistake, in my opinion.

Big Jim · Mar 11, 2015

Marcelo Antunes said:
As I mentioned, the requirement is not "not to audit your own work", but "not to audit an activity your are responsible for".

Responsability is different from who does "work". It?s related to accountability. So yes, people implement the system, but due to the requirement of the standards, the management representative is accountable (responsible) for the whole system.

Also, related to the QMS auditing, I didn?t say that you need to know the standard to audit a QMS, but one requirement from the standards is that you need to audit the requirements form the standards, so I don?t think it?s possible if you don?t know the standard. Anyway, I still don?t think this is what the OP mentioned.

In support of Andy, you are reaching beyond what the standard says.

19011 is GUIDANCE. There are no SHALLS in 19011. You cannot impose 19011 guidance as requirements for either 9001 or 13485. Consider it more as a best practice at most.

mlaurie · Mar 12, 2015

Although somewhat new to the manager rep position, I?ve guided our company through stage 1 & 2, ? dozen surveillance audits and one re-cert with several different auditors. This is the first time this issues has been raised and this auditor is just now in his 2nd year. I lean more towards Andy and Jim on this but appreciate everyone?s input. No NC was assessed so no formal compliant will be issued to my CB. Thanks to all.
I still need a resource for audit instructors
Thanks again
Sarasota Mike

ISO 13485 Audit Questions - Internal Auditor Training and other Requirements

mlaurie

AndyN

Moved On

Marcelo

Inactive Registered Visitor

AndyN

Moved On

Marcelo

Inactive Registered Visitor

AndyN

Moved On

Marcelo

Inactive Registered Visitor

Marcelo

Inactive Registered Visitor

Big Jim

mlaurie

Similar threads