ISO 13485:2016 Registration - NC on full cycle of internal audits

R

regork

#1
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
 
Elsmar Forum Sponsor
#2
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
I haven't found anyone who can define what a "full audit cycle" is so, to have received a non-conformity against an unspecified "requirement" seems a bit much to me. To force doing a whole QMS audit, when there were only a few changes to ISO 13485, seem "over-reach" to me. With other standards, I've seen the changes audited, which has been acceptable - and makes sense (to me at least).

Secondly, there IS no timeframe for getting audits done. A schedule isn't even a requirement, yet CB auditors demand them. Pack sand, I'd tell them! Your CB MAY have a contractual requirement to do audits annually (or similar), so check that first.

Most transitions need a plan - otherwise how do you know you've "arrived" having addressed the new stuff?
 
Last edited:
B

BhupinderSinghPawa

#3
Is this a Stage 1 or Stage 2 audit? I am assuming it is Stage 1; since the auditor can not give a Non Conformance - major or minor - without reference to the corresponding clause(s) in the standard in Stage 2; and in Stage 1 only findings are provided.

The prerequisite for Stage-2 audit is to have, among other elements
a QMS that adequately covers EN ISO 13485:2016,
at-least 1 Internal Quality Audit performed against the QMS, and
at-least 1 Management Review performed (preferably with results of the IQA).

Perhaps, the auditor's findings in Stage 1 is to ensure the completion prior to Stage 2. The Stage-2 audit will address the implementation of all the requirements of the standard
 
B

BhupinderSinghPawa

#4
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

This is a prerequisite for Stage-2 audit - a fully defined Quality Management System against 13485 and an Internal Quality Audit against the same.

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

The plan was for a phase wise deployment of QMS in the organization. In addition, the project transition document captured the movement from an existing process/documents to the QMS defined process/documents.

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

In my experience defined Quarterly Internal Audits with a full audit against the 13485 clauses covered in 1 year. The 13485 and EN ISO 19011 do not seem to prescribe a period. It's based on multiple factors - size of organization, risk classification of the medical devices, product complexity, scale of operations etc; that organization has to decide and NB to judge that it's adequate.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?


From a QMS definition point of view, you seem to be on solid ground.

From a QMS deployment point of view, extend the Gap Analysis document to include evidence of practice of revised SOP's. This could be a list of updated revised documents.

Also evidence the audit reports against the effective SOP's as of audit-date to show that audit was done against the revised SOP's.

If there is still a gap, then in next audit prior to stage-2, cover the gap in the internal audit scope.



TIA - Regork.
Refer to the inline response above.
 
R

regork

#5
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
 
#6
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
We just went through our ISO 13485:2016 Transition audit and there was no mention to us of a requirement to perform an internal audit prior to the NB audit. We have a 3rd party perform our internal audits since we are too small to do internally, and our next internal audit is next week (a full 2 months after the Transition). We did exactly as you described - created a quality plan, performed a gap analysis, and closed the gaps - as prep for our transition.
 
#7
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
It's in the CB accreditation requirements, ISO/IEC 17021. Certification clients such as you don't necessarily know about this stuff, so the CB is supposed to inform you (since you are already certified, the stage 2 doesn't apply)
 
F

Freeze1755

#8
We just completed the 13485:2016 audit (we're already certified to 2012) and got a Major Nonconformance for not having done an internal audit on all the quality system elements prior to the NB audit (we had just done Design Controls). Everything else was in place, and after 5 days they couldn't find any examples of us not complying with the new standard. Seems completely unreasonable to me-- anyone ever appealed a NC before?
 
Thread starter Similar threads Forum Replies Date
D Audit Report details when ISO 13485:2016 and cGMP 21 CFR 820 are applicable ISO 13485:2016 - Medical Device Quality Management Systems 6
E Theoretical project: Implementing ISO 13485:2016 into a start up acrylic bone cement manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 4
M ISO 13485: 2016 Lot numbering question ISO 13485:2016 - Medical Device Quality Management Systems 4
Q Documented Evidence of Training ISO 13485: 2016 ISO 13485:2016 - Medical Device Quality Management Systems 33
D Customer Survey Example - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 7
M Requirements ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 9
I EN ISO 13485:2016/A11:2021 ISO 13485:2016 - Medical Device Quality Management Systems 0
A ISO 13485:2016 Clause 8.2.1 ISO 13485:2016 - Medical Device Quality Management Systems 3
FuzzyD ISO 13485:2016 Clause 8.2.6 ISO 13485:2016 - Medical Device Quality Management Systems 4
K Can I make an exclusion of Design and Development in ISO 13485:2016 if my product is not regulated ISO 13485:2016 - Medical Device Quality Management Systems 12
B ISO 9001:2015 vs ISO 13485:2016 Gap analysis ISO 13485:2016 - Medical Device Quality Management Systems 9
K 3rd party auditor for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
S Electronic Signatures - Non-Conformance - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 36
D Question regarding where "validations" fit according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
D Question on using audit checklist ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 20
M Customer Property - ISO 13485:2016 Clause 7.5.10 ISO 13485:2016 - Medical Device Quality Management Systems 9
H QMS ISO 13485:2016 - ISO14971 IEC60304 etc ISO 13485:2016 - Medical Device Quality Management Systems 6
B Operational Procedures for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 7
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
S Inventory Listing and ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 Certification Scope ISO 13485:2016 - Medical Device Quality Management Systems 4
D Reports under change management | ISO 13485:2016 & ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 8
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
0 ISO 13485:2016 Chapter 8 Integration of the subsections ISO 13485:2016 - Medical Device Quality Management Systems 3
T ISO 13485:2016 Clauses related to process matrix ISO 13485:2016 - Medical Device Quality Management Systems 3
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
M ISO 13485-2016 online certification ISO 13485:2016 - Medical Device Quality Management Systems 3
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 16
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 29
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 18

Similar threads

Top Bottom