ISO 13485 internal audit criteria

vrgoncalves

Registered
Hi all,

According to ISO 13485:2016, 8.2.4:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
  • Conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization and applicable regulatory requirements;
  • Is effectively implemented and maintained.”

Do you understand that ALL applicable regulatory requirements must be considered? Requirements applicable to the QMS and devices? Should the requirements of the General Data Protection Regulation (GDPR) that do not directly refer to the QMS/device, for example, when the company operates in the EC, be considered in the internal audit?

Depending on the number of markets in which the company operates, it may be impractical to consider all possible regulatory requirements. Does anyone have any rules, tips, guides, etc. that helps how to choose the audit criteria in a practical way?

Thank you!
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
GDPR has its annual recertification process for the US Dept of Trade, your privacy policy and Data Privacy Framework

GDPR is not part of our internal annual ISO audit nor is our annual FDA Site Registration requirement. These are simply tasks we process annually and report in Management Review. Management Review should have those items though. Use a risk-based assessment to guide you.
 

Ronen E

Problem Solver
Moderator
Hi all,

According to ISO 13485:2016, 8.2.4:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
  • Conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization and applicable regulatory requirements;
  • Is effectively implemented and maintained.”

Do you understand that ALL applicable regulatory requirements must be considered? Requirements applicable to the QMS and devices? Should the requirements of the General Data Protection Regulation (GDPR) that do not directly refer to the QMS/device, for example, when the company operates in the EC, be considered in the internal audit?
impractical to consider all possible regulatory requirements. Does anyone have any rules, tips, guides, etc. that helps how to choose the audit criteria in a practical way?

Thank you!
This is an audit of the QMS. Requirements that don't apply to the QMS (and anything in it) do not belong in the scope. Having said that, the device(s) is/are within the realm of the QMS, so I'm inclined to think requirements that directly relate to the devices should be included.

General note: Almost all audits (internal and external) are conducted on a sampling basis, because it's impractical to cover "everything" (all processes, all devices, all requirements, all jurisdictions etc.). Apply this principle to the above. Sampling must be robust and have a valid rationale though. For example, you can't omit your leading market. Put some thought into hedging the scope and make sure to document your rationale, so it can be reviewed, debated, defended, and if need be - amended.

Your goal should be to demonstrate that your QMS does not have serious gaps in adhering to applicable regulatory requirements (or alternatively, point out gaps that exist and need to be closed). It's not proof, only a demonstration; but that demonstration should be pretty thorough and convincing, if the outcome is "everything is all right, nothing needs fixing". If, on the other hand, the audit managed to spot some important deficiencies, it did it's job, because it allowed you to bring your QMS closer to the ideal, perfect QMS (which exists only in theory).
 
Last edited:

vrgoncalves

Registered
Thank you to all for the answers.

Maybe ISO 13485 itself or its practical guide could clarify better this further, because although GDPR, REACH regulation etc. are not regulations entitled as QMS regulations, QMS processes cover activities to comply with some requirements of these regulations (among others).
The sentence "...and applicable regulatory requirements" in 8.2.4 is too broad...
 

Philip B

Quite Involved in Discussions
Under your ISO 13485 certification you will have a scope of activities. Your internal audits need to address everything directly related to that scope. I would ignore anything that is only tangentially related eg GDPR, PPE regs etc. I doubt any certification body auditor will have an issue with this.

For all of our internal audits, we state the scope as:

ISO 13485
EU MDR
UK MDR
Company policies and procedures

HTH
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
Under your ISO 13485 certification you will have a scope of activities. Your internal audits need to address everything directly related to that scope. I would ignore anything that is only tangentially related eg GDPR, PPE regs etc. I doubt any certification body auditor will have an issue with this.

For all of our internal audits, we state the scope as:

ISO 13485
EU MDR
UK MDR
Company policies and procedures

HTH
Good advice. From a practical matter, most auditors won't wade deeply into GDPR for several reasons. Its rather technical, its rapidly evolving, written by lawyers. In order for an auditor to really understand how your device fits into GDPR will require hours or days of research most auditors don't have the time for. My auditor just sees we have a GDPR SOP, a policy on information classification, An annual mock disaster Report etc.
 
Last edited:
Top Bottom