ISO 13485:2016 Registration - NC on full cycle of internal audits

regork

Starting to get Involved
#1
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
 
Elsmar Forum Sponsor
#2
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
I haven't found anyone who can define what a "full audit cycle" is so, to have received a non-conformity against an unspecified "requirement" seems a bit much to me. To force doing a whole QMS audit, when there were only a few changes to ISO 13485, seem "over-reach" to me. With other standards, I've seen the changes audited, which has been acceptable - and makes sense (to me at least).

Secondly, there IS no timeframe for getting audits done. A schedule isn't even a requirement, yet CB auditors demand them. Pack sand, I'd tell them! Your CB MAY have a contractual requirement to do audits annually (or similar), so check that first.

Most transitions need a plan - otherwise how do you know you've "arrived" having addressed the new stuff?
 
Last edited:

BhupinderSinghPawa

Involved In Discussions
#3
Is this a Stage 1 or Stage 2 audit? I am assuming it is Stage 1; since the auditor can not give a Non Conformance - major or minor - without reference to the corresponding clause(s) in the standard in Stage 2; and in Stage 1 only findings are provided.

The prerequisite for Stage-2 audit is to have, among other elements
a QMS that adequately covers EN ISO 13485:2016,
at-least 1 Internal Quality Audit performed against the QMS, and
at-least 1 Management Review performed (preferably with results of the IQA).

Perhaps, the auditor's findings in Stage 1 is to ensure the completion prior to Stage 2. The Stage-2 audit will address the implementation of all the requirements of the standard
 

BhupinderSinghPawa

Involved In Discussions
#4
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

This is a prerequisite for Stage-2 audit - a fully defined Quality Management System against 13485 and an Internal Quality Audit against the same.

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

The plan was for a phase wise deployment of QMS in the organization. In addition, the project transition document captured the movement from an existing process/documents to the QMS defined process/documents.

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

In my experience defined Quarterly Internal Audits with a full audit against the 13485 clauses covered in 1 year. The 13485 and EN ISO 19011 do not seem to prescribe a period. It's based on multiple factors - size of organization, risk classification of the medical devices, product complexity, scale of operations etc; that organization has to decide and NB to judge that it's adequate.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?


From a QMS definition point of view, you seem to be on solid ground.

From a QMS deployment point of view, extend the Gap Analysis document to include evidence of practice of revised SOP's. This could be a list of updated revised documents.

Also evidence the audit reports against the effective SOP's as of audit-date to show that audit was done against the revised SOP's.

If there is still a gap, then in next audit prior to stage-2, cover the gap in the internal audit scope.



TIA - Regork.
Refer to the inline response above.
 

regork

Starting to get Involved
#5
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
 
#6
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
We just went through our ISO 13485:2016 Transition audit and there was no mention to us of a requirement to perform an internal audit prior to the NB audit. We have a 3rd party perform our internal audits since we are too small to do internally, and our next internal audit is next week (a full 2 months after the Transition). We did exactly as you described - created a quality plan, performed a gap analysis, and closed the gaps - as prep for our transition.
 
#7
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
It's in the CB accreditation requirements, ISO/IEC 17021. Certification clients such as you don't necessarily know about this stuff, so the CB is supposed to inform you (since you are already certified, the stage 2 doesn't apply)
 
#8
We just completed the 13485:2016 audit (we're already certified to 2012) and got a Major Nonconformance for not having done an internal audit on all the quality system elements prior to the NB audit (we had just done Design Controls). Everything else was in place, and after 5 days they couldn't find any examples of us not complying with the new standard. Seems completely unreasonable to me-- anyone ever appealed a NC before?
 
Thread starter Similar threads Forum Replies Date
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 0
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 10
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 13
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 13485:2016 Section 6.2 - Documenting the process for establishing competence ISO 13485:2016 - Medical Device Quality Management Systems 6
Q Any good Checklists for ensuring SOPs cover ISO 13485:2016 and 21CFR 820? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Transition to ISO 13485:2016 together with ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 12
B Classes/ Online Training on ISO 13485:2016 and FDA QSR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
D ISO: 13485:2016 Sec. 7.5.2 (C) - Requirements for cleanliness of product or contamination control ISO 13485:2016 - Medical Device Quality Management Systems 2
M Internal Audit Assessment Criteria - ISO 13485:2016 Internal Auditing 21
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
L Does anybody have quiz's available? ISO 13485:2016 Training Material Training - Internal, External, Online and Distance Learning 2
G ISO 13485:2016 and regulatory requirements - Contract Manufacturing ISO 13485:2016 - Medical Device Quality Management Systems 22
S ISO 13485:2016 and GDRP EU 2016/679 ISO 13485:2016 - Medical Device Quality Management Systems 5
JoshuaFroud Interpretation of Clause 5.5.2 in ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
A ISO 13485:2016 Applicable regulatory requirements ISO 13485:2016 - Medical Device Quality Management Systems 2
C Will anyone please share training material for ISO:13485:2016 for best practices Training - Internal, External, Online and Distance Learning 0
T ISO 13485: 2016 Internal Audit - Is sampling on projects allowed? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Where I can find an ISO 13485:2016 Audit Schedule example? ISO 13485:2016 - Medical Device Quality Management Systems 4

Similar threads

Top Bottom