Is it required to complete Internal Audits within one year?

SGquality

Quite Involved in Discussions
#1
I am in an ISO 13485:2016 audit by a leading registrar.

For our internal audits, we have identified 14 processes that were all completed in one year but come year 2020, the pandemic, it was not possible to complete all 14 so we put a risk-based approach and identified High, Medium and Low Risk. All the High's would be audited every year; medium would be covered once in two years; while the low risk ones to be covered once in three years.

The auditor is not agreeing with this risk based approach and insisting that all the 14 processes must be completed every year to pass the yearly surveillance audits. Is this true? I feel it is incorrect but would like to hear from you guys.
 
Elsmar Forum Sponsor

blackholequasar

The Cheerful Diabetic
#2
We have done the same thing at our facility - we have our Primary (high) Processes which are done on an annual basis. We have our Secondary (low) Processes which are done every-other year depending on if it is an even or odd year that we are in. I think that as long as you can prove your LOW risk processes do not require action and have not produced corrective action or serious doubts on how mature they are, you could argue with the auditor that it does not state that all processes SHALL be audited ... that is, unless, your own process defines it that way.

Ask your auditor to show you the "shall" statement from the audit. I'd be curious to see what they provided.
 

blackholequasar

The Cheerful Diabetic
#4
§8.2.4 The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;
b) is effectively implemented and maintained

It does not state that the planned interval shall be annual.

And that's all she wrote as far as Internal Audit 'shall' territory! :applause:
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#6
Great response so I am not the lone swimmer :)
You are not. In addition to what blackholequasar said, the standard specifically describes to not just stick to an annual schedule of auditing everything.
An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#8
What is the process if I have to formally escalate this issue?
With whom do you feel the need to escalate this issue? 30 July edit: I see that I did not read the OP's first post fully. I am sorry. I will leave points 2 and 3 there for general information.
  1. If it is a certifying body auditor, I would contact Customer Service at once and ask to dispute the finding.
  2. Supplier auditors are harder. I would nonetheless ask for a dispute. The auditor could put you in touch with his or her manager.
  3. If it is internal, I would refer to ISO 9002:2016, clause 9.2.2. If you don't have a copy, I am thinking the purchase price would be less than a bunch of unnecessary audits:
    When determining the frequency, the organization should apply risk-based thinking and consider how often the process is performed, how mature or how complex the process is, any changes in the process, and the objectives of the audit programme. For example, more mature processes are likely to require less frequent internal audits. More complex processes can require more frequent internal audits. A list of inputs to consider when planning audits includes, but is not limited to:
    • a) importance of the processes;
    • b) managerial priorities;
    • c) performance of the processes;
    • d) changes affecting the organization;
    • e) results from previous audits (e.g. history of problems);
    • f) trends in customer complaints;
    • g) statutory and regulatory issues.
 
Last edited:

chris1price

Trusted Information Resource
#9
As someone who audits suppliers, I 100% agree with the risk based approach to generating the audit schedule that Jen and others advocate. My only caveat is to ensure that nothing gets forgotten. Make sure very low risk processes still get covered in a reasonable timeframe.
 

SGquality

Quite Involved in Discussions
#10
As someone who audits suppliers, I 100% agree with the risk based approach to generating the audit schedule that Jen and others advocate. My only caveat is to ensure that nothing gets forgotten. Make sure very low risk processes still get covered in a reasonable timeframe.
It relates to ISO 13485 certification by a Registrar (CB)
 
Thread starter Similar threads Forum Replies Date
S Required Complete calibration SOP, calibration Plan and master list template! IATF 16949 - Automotive Quality Systems Standard 3
S Ford Q1 for a plant with no Ford products - Still required to complete requirements? Customer and Company Specific Requirements 5
M Complete revamp of quality systems required - Major pitfalls I should try to avoid Misc. Quality Assurance and Business Systems Related Topics 12
S Record approval- Signatures required ISO 13485:2016 - Medical Device Quality Management Systems 4
M MDSAP required for Device Initial Importer/Distributor into Canada? Other Medical Device Regulations World-Wide 11
I Is SRN required for a contract manufacturer (CE-Marking product)? EU Medical Device Regulations 2
O New GTIN (DI) required? Other US Medical Device Regulations 0
P Is the second factor authentication (2FA) required for external users? Qualification and Validation (including 21 CFR Part 11) 1
validationspec EN 868-5 pdf required. Medical Device and FDA Regulations and Standards News 1
F Uncertainty not Required Measurement Uncertainty (MU) 3
I How to find required testing for a specific device? Other US Medical Device Regulations 3
U Is Initial Importer Status Required if a Medical Device is Manufactured and Sterilized by an OEM in the US Other US Medical Device Regulations 1
D "certified" in ISO 19011, as well as IATF required? IATF 16949 - Automotive Quality Systems Standard 6
M Is validation required when consumables are changed Qualification and Validation (including 21 CFR Part 11) 7
B Is labeling on the device itself required? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
J Scrap Material Scale Calibration Required? IATF 16949 - Automotive Quality Systems Standard 21
K Is Calibration Required for Non-Adjustable Commercial Inspection Devices? General Measurement Device and Calibration Topics 11
C ISO 9001:2015 8.3.2. h) Design and Development Planning - What is required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S Does a refurbished product required a new UDI? US Food and Drug Administration (FDA) 3
S For Parts Manufacturer Approval (PMA) Is 100% Inspection Required? Federal Aviation Administration (FAA) Standards and Requirements 2
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
R "Medical devices" required in scope ISO 13485:2016 - Medical Device Quality Management Systems 2
OpExPro AIAG VDA DFMEA Template Required FMEA and Control Plans 6
B PMA Supplement Required? US Food and Drug Administration (FDA) 3
F UDI-PI required on packaging (MDR) EU Medical Device Regulations 4
S Required tests for Surgical gown US Food and Drug Administration (FDA) 1
R Is a FAIR required on parts that we design? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I IQOQ or just initial calibration required? General Measurement Device and Calibration Topics 3
B NIOSH Approval for Surgical N95 Respirators - Required testing US Food and Drug Administration (FDA) 2
A Is calibration of test weight required General Measurement Device and Calibration Topics 4
A 8.6 Release of products and services, 8.3 Design and development - evidence required ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R Green dot required on packaging? Medical Device and FDA Regulations and Standards News 2
M Indian Medical Device Rules - Manufacturing and Wholesale Lic. Required? Other Medical Device Regulations World-Wide 12
M Is IEC 60601-1-2 required by FDA for all electronic medical devices? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
B Where to acquire EN 868-5 required dye (Amaranth red)? Other Medical Device Related Standards 2
Marcel DS How do I know if my product is required be RoHS certified? REACH and RoHS Conversations 6
K When is Bioburden Testing Required? Other Medical Device Related Standards 8
G Is repeatability required for equipment calibration? General Measurement Device and Calibration Topics 10
D Device functionality over service life - Objective evidence required? Design and Development of Products and Processes 10
M Quality management certification required by Health Canada Canada Medical Device Regulations 3
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 8
M Case study solution help required as per ISO 9001 : 2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4

Similar threads

Top Bottom