ISO 13485 Audit Finding on Regulatory Issues - Internal Audits

[kansascitysteve]

We are currently going through ISO 13485 certification and completed stage 1. The auditor reviewed all of our internal audit records and noted that we have not performed regulatory internal audits.

He tols us we had to complete a full internal audit to verify compliance with applicable regulations. We are also going for CMDCAS, TGA, and MDD with this audit.

Can someone please point me in the right direction with how to perform an internal regulatory audit? We have verified compliance with 13485, but am not sure where to begin for the various regulations.

Any help or guidance is greatly appreciated...!
Thanks

 

[cclee]

Re: 13485 Audit finding - Internal Audits

Hi, one approach you could use is to reference the applicable clause/section/article/Annex in your internal audit documents or records ( audit plan, checklist, matrix, ..etc) when assessing the audit evidence against the audit criteria.

For example, if your quality manual claims conformance to ISO13485, CMDCAS, MDD & PAL you should reference the apppropriate elements under assessment:

Audit topic: Control of records
ISO13485 - 4.2.4
CMDRs - sec. 9 (2), se. 34, sec. 43, sec 52-56
MDD - Annex II, 3.2
Article 9

Hope this helps.

 

[AndyN]

Re: 13485 Audit finding - Internal Audits

Have you been doing process based audits? If so, researching the various regulatory requirements affecting each process, from those requirements (CMDCAS etc) these can be added into whatever planning tool/checklist you use. If you've been doing just compliance to ISO 13485, you might have narrowly dodged another NC for not auditing processes, too...

 

[somashekar]

Re: 13485 Audit finding - Internal Audits

You could find some details in THIS thread ...

 

[Sidney Vianna]

Re: ISO 13485 Audit Finding - Internal Audits

He tols us we had to complete a full internal audit to verify compliance with applicable regulations. We are also going for CMDCAS, TGA, and MDD with this audit.

Any help or guidance is greatly appreciated...!
Thanks

While compliance with regulations is critical, ISO 13485 does not specifically mandate you perform an internal audit against regulatory requirements. If you can demonstrate that your organization has the knowledge & awareness of the requirements and compliance is assured via adherence to the business processes that embed the means to comply with regulations, an "internal regulatory compliance audit" would be redundant.

 

[Roland Cooke]

Re: ISO 13485 Audit Finding - Internal Audits

I basically agree with Sidney.

That said, I would perform an documentation audit against the various regulations to ensure that all applicable requirements have been built into the overall system.

In addition, you may find there is benefit in doing sub-audits that focus on specific regulatory elements (vigilance handling, technical files, etc).

 

[Jen Kirley]

Re: ISO 13485 Audit Finding - Internal Audits

While compliance with regulations is critical, ISO 13485 does not specifically mandate you perform an internal audit against regulatory requirements. If you can demonstrate that your organization has the knowledge & awareness of the requirements and compliance is assured via adherence to the business processes that embed the means to comply with regulations, an "internal regulatory compliance audit" would be redundant.

I am feeling too hot to believe I am as sharp as I otherwise hope to be, but I believe Sidney is saying the standard asks us to understand what regulations require of us, to build our systems in a way to clearly meet those requirements, and to audit against that system. Did I get that right, Sidney?

The thing is, in order to convince people we're doing this there should be evidence. There should be something that shows what regulations your organization recognizes it must meet, how your planning methods ensure that's getting done (including updates), and practical examples of procedures and actual activities supporting it's happened.

Typically auditors list an element number alongside evidence of compliance. In order to lay anyone's concerns to rest, when auditing heavily regulated systems like Process Safety Management I cite actual codes along with the standard elements I'm auditing against. Maybe this isn't the best method, but it's worked for my people and me.

 

[somashekar]

Re: ISO 13485 Audit Finding - Internal Audits

Going from the Title of ISO 13485 (Requirements for regulatory purpose), your internal audit scope must be specific to what you are auditing, based on the regulations to which you claim alignment of your QMS.
Ex.: ISO13485 + MDD + CMDR
The requirements for regulatory purpose once gets into the audit scope, will encompass the audit of specific requirements. Note that many of your procedures (documented or otherwise) for your various processes will be aligned to one or more regulatory requirements as well, and you may also have specific procedures for specific regulatory requirements.
Typically when an internal audit of design and development is planned, dwelling into the design inputs from the regulatory requirements points will be a good example, and from this all other design route could be audited.
CMDR requires certain annual renewals and if CMDR is in your internal audit scope, you could audit both the process of how this is complied with and look for records of evidence. Similarly MDD requires specific tasks for a manufacturer who is out of europe. These could also be audited for compliance when MDD is in your internal audit scope. So it depends on how you have integrated the regulatory inputs and tasks into your QMS, and how they are performed, including internal audits...

 

[Sidney Vianna]

Re: ISO 13485 Audit Finding - Internal Audits

Did I get that right, Sidney?

Hi Jennifer.
Yes, you got the essence of my post. But let me add: Assuring regulatory compliance via internal audits is like driving a car forward by looking at the rear view mirrors (pardon the cliche'). Internal audits are just one component of the check step in the PDCA cycle.

Compliance with regulatory regulations, just like focus on customer satisfaction and product conformity CAN ONLY be sustainably achieved if the tasks and activities necessary are EMBEDDED in the business processes of the organization. Some of the regulatory requirements any organization has to comply with are part of the QMS; So, if I internally audit my QMS thoroughly, I am ALSO checking if my organization has a system to ensure regulatory compliance or not, thus no need for a separate internal regulatory compliance audit.