ISO 13485:2016 Registration - NC on full cycle of internal audits

regork

Involved In Discussions
#1
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
 

AndyN

A problem shared...
Staff member
Super Moderator
#2
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
I haven't found anyone who can define what a "full audit cycle" is so, to have received a non-conformity against an unspecified "requirement" seems a bit much to me. To force doing a whole QMS audit, when there were only a few changes to ISO 13485, seem "over-reach" to me. With other standards, I've seen the changes audited, which has been acceptable - and makes sense (to me at least).

Secondly, there IS no timeframe for getting audits done. A schedule isn't even a requirement, yet CB auditors demand them. Pack sand, I'd tell them! Your CB MAY have a contractual requirement to do audits annually (or similar), so check that first.

Most transitions need a plan - otherwise how do you know you've "arrived" having addressed the new stuff?
 
Last edited:

BhupinderSinghPawa

Involved In Discussions
#3
Is this a Stage 1 or Stage 2 audit? I am assuming it is Stage 1; since the auditor can not give a Non Conformance - major or minor - without reference to the corresponding clause(s) in the standard in Stage 2; and in Stage 1 only findings are provided.

The prerequisite for Stage-2 audit is to have, among other elements
a QMS that adequately covers EN ISO 13485:2016,
at-least 1 Internal Quality Audit performed against the QMS, and
at-least 1 Management Review performed (preferably with results of the IQA).

Perhaps, the auditor's findings in Stage 1 is to ensure the completion prior to Stage 2. The Stage-2 audit will address the implementation of all the requirements of the standard
 

BhupinderSinghPawa

Involved In Discussions
#4
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

This is a prerequisite for Stage-2 audit - a fully defined Quality Management System against 13485 and an Internal Quality Audit against the same.

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

The plan was for a phase wise deployment of QMS in the organization. In addition, the project transition document captured the movement from an existing process/documents to the QMS defined process/documents.

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

In my experience defined Quarterly Internal Audits with a full audit against the 13485 clauses covered in 1 year. The 13485 and EN ISO 19011 do not seem to prescribe a period. It's based on multiple factors - size of organization, risk classification of the medical devices, product complexity, scale of operations etc; that organization has to decide and NB to judge that it's adequate.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?


From a QMS definition point of view, you seem to be on solid ground.

From a QMS deployment point of view, extend the Gap Analysis document to include evidence of practice of revised SOP's. This could be a list of updated revised documents.

Also evidence the audit reports against the effective SOP's as of audit-date to show that audit was done against the revised SOP's.

If there is still a gap, then in next audit prior to stage-2, cover the gap in the internal audit scope.



TIA - Regork.
Refer to the inline response above.
 

regork

Involved In Discussions
#5
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
 
#6
Help, FYI, etc;
During our registration audit to ISO 13485:2016 of a medical device software manufacturer we got a minor ding for not completing a full audit cycle on our processes based on the ISO 13485 2016 revision of the standard. Instead of doing the audits, we developed a comprehensive audit plan to perform a gap analysis of changes, identify the changes, make the changes, establish the changes, and verify that the changes have been established. The elements of the plan against related procedures (and changes) were based on risk of meeting product quality and regulations.

We also had our audits planned at justified intervals over the next three years of the ISO certification period. All internal audits have been complete on time as required by our internal audit SOP.

I justified to the auditor that we transitioned to the new revision of the standard using a quality plan that included verification that the updated / new SOPs and QS documentation have been established. We agreed that we had no evidence that people were actually following the new procedures, in which the auditor said that the registration audit should not even be happening.

After licking our wound and understand that this transition to the new standard for everybody, what gives?

1. I do agree that we need to conduct internal audits to verify we conform to the standard and the updated requirements within, but what is your experience on the implicit time requirement of completing the full audit cycle before ISO 13485:2016 registration?

2. Have you used a quality plan to transition to rev 2016 to include verification the changed SOPs have been established instead of internal audit execution and records?

3. The standard has no requirement for conducting internal audits within a time frame or even that all internal audits have to take place within one year; however most auditors have an opinion that a company must conduct their internal audits each year for every process. I am very curios to get an updated view of this topic based on the new 2016 revision.

4. To solve the CAR, the auditor told us that we need to complete a full audit cycle of all our processes. I am of the mindset that our completed, verified quality plan for the transition is enough. what would you do to resolve the NC or escalate?

TIA - Regork.
We just went through our ISO 13485:2016 Transition audit and there was no mention to us of a requirement to perform an internal audit prior to the NB audit. We have a 3rd party perform our internal audits since we are too small to do internally, and our next internal audit is next week (a full 2 months after the Transition). We did exactly as you described - created a quality plan, performed a gap analysis, and closed the gaps - as prep for our transition.
 

AndyN

A problem shared...
Staff member
Super Moderator
#7
BhupinderSinghPawa
Thank you for your response and thoughts. I may have mislead you on the company's certification, we actually did a transfer from another registrar of ISO 13485:2003. The new registrar was here to do the audit for the transfer and reassessment. We were not actually doing a new registration.

When you say that the internal audit is a prerequisite for Stage-2 audit is this listed in an ISO standard / document somewhere or where is that requirement defined?

Our transition quality plan contains verified proof that our QMS was updated to add the new requirements of the 2016 revision and regulatory requirements, but these changes were not very complex and we developed our internal audit schedule to complete the audits based on the risk of the SOP changes + plus the impact each SOP has on product quality (S&E) plus previous internal audit history / nonconformities issues against each SOP.

Keep in mind the scope of the company is 16 employees, no notified body / CE mark, and a class I device that the FDA is exercising enforcement discretion on. We do do software development of customer components medical devices.

I ended up responding to the internal audit NC by stating that we will do the internal audits within 45 days of issue. In reality, this NC should have been a major and prevented the certification, not a minor that can be verified during the next surveillance.

Regork
It's in the CB accreditation requirements, ISO/IEC 17021. Certification clients such as you don't necessarily know about this stuff, so the CB is supposed to inform you (since you are already certified, the stage 2 doesn't apply)
 
#8
We just completed the 13485:2016 audit (we're already certified to 2012) and got a Major Nonconformance for not having done an internal audit on all the quality system elements prior to the NB audit (we had just done Design Controls). Everything else was in place, and after 5 days they couldn't find any examples of us not complying with the new standard. Seems completely unreasonable to me-- anyone ever appealed a NC before?
 
Top