Corrective Actions Root Causes from Surveillance Audit Findings


Involved In Discussions
Hi Cove members!

I hope someone has some insight on how to determine the root cause and corrective action for some minor findings from our ISO 13485 surveillance audit. We are a small medical device company and ISO 13485 is pretty new to us, as we just started a couple of years ago. I don't expect anyone to answer these for me but I hope to be guided though this by objective readers :)

1. One of the nonconformities was written up against Sec. 4.1. which states that outsourced processes must be controlled and identified within the QMS. While it was found that our outsourced processes are controlled, they are not identified.

It was mentioned that the fix can be as simple as marking the outsourced processes on our approved vendor list. Great!

Now I'm stuck on figuring out the root cause and corrective action. We have an approved vendor list, but we didn't know we had to explicitly identify which ones are outsourced. Why not? Because no one here (me) is an expert at this, though we were trained to this standard to understand the basics. I don't want to say it's a training deficiency because even with further training on ISO 13485, I don't see how the issue of not being aware all the details will be resolved.

2. The second nonconformity is against 8.2.2 where it states that internal audit follow-up activities shall include verification and reporting verification results. The reason for this nonconformity is that this requirement isn't addressed in our procedure. I tried to fight this one because the auditor didn't have evidence that this requirement was not being performed (we use CAR forms with a verification section), but the auditor said it needs to be addressed in the procedure.

I'm better at determining the root cause for repeating/systemic process issues. However, I'm at a lost when it comes to things like needing to explicitly identify outsourced services or something is missing from the procedure.

Thanks for any help in advance! :)

insect warfare

QA=Question Authority
Outsourced processes can also be identified through the use of a process map. If an overall process map already exists within your organization, then you could simply identify them there - the added benefit is you can show how they interact with your internal processes and have a good reference document as a plus. But keep in mind that the word "identified" in this context does not necessarily mean "documented", so if you were able to adequately explain to your auditor what those outsourced processes were without having them documented per se, this still counts as "identified" and IMO maybe should have only been raised as an OFI (opportunity for improvement) and not a NC.

As for your 8.2.2 dilemma, what does your corrective/preventive action procedure state in regards to how internal audit findings are followed up on and verification recorded? The reason I ask is that even though your internal audit procedure may not state the requirements explicitly, your CAPA procedure may already contain this information, which still satisfies the requirement. If not, your auditor may have a case here, but still should be an easy remedy.

Brian :rolleyes:


Involved In Discussions
Thanks, Brian. I think both have easy remedies/corrections, but that's just it. I'm wondering how to dig deeper to the root cause in these cases. :confused:

Top Bottom