The Cove Business Standards Discussion Forums
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

ISO 13485:2016 Registration - NC on full cycle of internal audits

Monitor the Elsmar Forum
Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
audit nonconformances and findings, internal audits, iso 13485 - medical device qms, iso 13485:2016, medical device software
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 16th May 2018, 11:58 AM
regork's Avatar
regork

 
 
Total Posts: 18
Look! ISO 13485:2016 Registration - NC on full cycle of internal audits

Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.

Sponsored Links
  Post Number #2  
Old 16th May 2018, 12:11 PM
AndyN's Avatar
AndyN

 
 
Total Posts: 9,122
Let Me Help You re: ISO 13485:2016 Registration - NC on full cycle of internal audits

Quote:
In Reply to Parent Post by regork View Post

Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
I haven't found anyone who can define what a "full audit cycle" is so, to have received a non-conformity against an unspecified "requirement" seems a bit much to me. To force doing a whole QMS audit, when there were only a few changes to ISO 13485, seem "over-reach" to me. With other standards, I've seen the changes audited, which has been acceptable - and makes sense (to me at least).

Secondly, there IS no timeframe for getting audits done. A schedule isn't even a requirement, yet CB auditors demand them. Pack sand, I'd tell them! Your CB MAY have a contractual requirement to do audits annually (or similar), so check that first.

Most transitions need a plan - otherwise how do you know you've "arrived" having addressed the new stuff?

Last edited by AndyN; 16th May 2018 at 03:22 PM.
Thanks to AndyN for your informative Post and/or Attachment!
  Post Number #3  
Old 4th June 2018, 07:28 AM
BhupinderSinghPawa

 
 
Total Posts: 33
Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

Is this a Stage 1 or Stage 2 audit? I am assuming it is Stage 1; since the auditor can not give a Non Conformance - major or minor - without reference to the corresponding clause(s) in the standard in Stage 2; and in Stage 1 only findings are provided.

The prerequisite for Stage-2 audit is to have, among other elements
a QMS that adequately covers EN ISO 13485:2016,
at-least 1 Internal Quality Audit performed against the QMS, and
at-least 1 Management Review performed (preferably with results of the IQA).

Perhaps, the auditor's findings in Stage 1 is to ensure the completion prior to Stage 2. The Stage-2 audit will address the implementation of all the requirements of the standard
  Post Number #4  
Old 4th June 2018, 08:03 AM
BhupinderSinghPawa

 
 
Total Posts: 33
Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

Quote:
In Reply to Parent Post by regork View Post

Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

This is a prerequisite for Stage-2 audit - a fully defined Quality Management System against 13485 and an Internal Quality Audit against the same.

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

The plan was for a phase wise deployment of QMS in the organization. In addition, the project transition document captured the movement from an existing process/documents to the QMS defined process/documents.

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

In my experience defined Quarterly Internal Audits with a full audit against the 13485 clauses covered in 1 year. The 13485 and EN ISO 19011 do not seem to prescribe a period. It's based on multiple factors - size of organization, risk classification of the medical devices, product complexity, scale of operations etc; that organization has to decide and NB to judge that it's adequate.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?


From a QMS definition point of view, you seem to be on solid ground.

From a QMS deployment point of view, extend the Gap Analysis document to include evidence of practice of revised SOP's. This could be a list of updated revised documents.

Also evidence the audit reports against the effective SOP's as of audit-date to show that audit was done against the revised SOP's.

If there is still a gap, then in next audit prior to stage-2, cover the gap in the internal audit scope.



TIA - Regork.
Refer to the inline response above.
  Post Number #5  
Old 4th June 2018, 11:39 AM
regork's Avatar
regork

 
 
Total Posts: 18
Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
  Post Number #6  
Old 4th June 2018, 01:14 PM
QANowatzke

 
 
Total Posts: 2
Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

Quote:
In Reply to Parent Post by regork View Post

Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
We just went through our ISO 13485:2016 Transition audit and there was no mention to us of a requirement to perform an internal audit prior to the NB audit. We have a 3rd party perform our internal audits since we are too small to do internally, and our next internal audit is next week (a full 2 months after the Transition). We did exactly as you described - created a quality plan, performed a gap analysis, and closed the gaps - as prep for our transition.
  Post Number #7  
Old 4th June 2018, 01:14 PM
AndyN's Avatar
AndyN

 
 
Total Posts: 9,122
Let Me Help You Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

Quote:
In Reply to Parent Post by regork View Post

BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
It's in the CB accreditation requirements, ISO/IEC 17021. Certification clients such as you don't necessarily know about this stuff, so the CB is supposed to inform you (since you are already certified, the stage 2 doesn't apply)
  Post Number #8  
Old 8th June 2018, 03:54 PM
Freeze1755

 
 
Total Posts: 1
Re: ISO 13485:2016 Registration - NC on full cycle of internal audits

We just completed the 13485:2016 audit (we're already certified to 2012) and got a Major Nonconformance for not having done an internal audit on all the quality system elements prior to the NB audit (we had just done Design Controls). Everything else was in place, and after 5 days they couldn't find any examples of us not complying with the new standard. Seems completely unreasonable to me-- anyone ever appealed a NC before?
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
Internal Audit Program under MDSAP and 13485:2016 snoopy2017 ISO 13485:2016 - Medical Device Quality Management Systems 10 27th June 2018 11:12 AM
ISO 13485: 2016 Internal Audit - Is sampling on projects allowed? Thukira ISO 13485:2016 - Medical Device Quality Management Systems 6 3rd May 2018 07:43 AM
ISO 13485:2016 and MDSAP internal auditing snoopy2017 ISO 13485:2016 - Medical Device Quality Management Systems 6 11th December 2017 03:28 PM
Is a full Internal Audit cycle every year required? oruiz2 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 6 7th August 2014 10:54 AM
Internal Audits must be inside of the continuous improvement cycle rrramirez Internal Auditing 3 12th February 2000 10:57 AM



The time now is 05:07 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"