ISO 13485 - Requirement for Sub-Systems Audited per Year?

A

Auditor99

#1
Hello-

I'm an auditor for a class II MedDev 13485-certified firm. For the last couple of years (we became certified 2 years ago) I've been including every sub-system (as defined by 13485) in the audit schedule and specifically auditing each one a minimum of once per year. However, when I was recently reading over the standard I noticed that there is no specific requirement in the standard stating that this frequency of audit is necessary.

Does anyone know what ISO's expectations are in this regard? I'm considering spacing out the frequency of some of the subsystems in which my company has a better showing to once every couple of years, leaving me more time to focus on higher areas of risk - but I don't want to jeopardize our certification by not sticking to the "once per year" regimen...

thanks
 
Elsmar Forum Sponsor
A

arios

#2
Re: ISO 13485: Requirement for Sub-Systems Audited per Year?

Like you said there is no specific reference in the ISO 13485 std about the frequency and depth of your internal audits. The basis for the planning of internal audits is referred to in section 8.2.2. but it is not specific so you determine how it should be done.

Some registrars (Notified Bodies), not sure if all of them have some more particular requirements in their Conditions of Contract where they indicate some audit planning requirements, e.g. like prior to your initial certification all of the processes of the QMS should be audited. It would be convenient for you to inquiry in those COC's to look for guidance.
 
#3
Re: ISO 13485: Requirement for Sub-Systems Audited per Year?

Hello-

I'm an auditor for a class II MedDev 13485-certified firm. For the last couple of years (we became certified 2 years ago) I've been including every sub-system (as defined by 13485) in the audit schedule and specifically auditing each one a minimum of once per year. However, when I was recently reading over the standard I noticed that there is no specific requirement in the standard stating that this frequency of audit is necessary.

Does anyone know what ISO's expectations are in this regard? I'm considering spacing out the frequency of some of the subsystems in which my company has a better showing to once every couple of years, leaving me more time to focus on higher areas of risk - but I don't want to jeopardize our certification by not sticking to the "once per year" regimen...

thanks
I believe you are missing an opportunity! It's not 'ISO's Expectations' you have to consider - not expectations, but requirements! You have to consider your audit program based on 'status and importance' - risk and impact of the risk, if you'd prefer - or your customers', regulatory and management expectations, perhaps.

Clearly once a year may not be adequate and I'd doubt that once every two years (or more) is either! Your CB may have allowed the once a year, but you should be looking at more than business related issues than simply a frequency...Take a look at this article:

http://www.nqa-usa.com/resources/articles_detail.php?id=48
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#4
Re: ISO 13485: Requirement for Sub-Systems Audited per Year?

I believe you are missing an opportunity! It's not 'ISO's Expectations' you have to consider - not expectations, but requirements! You have to consider your audit program based on 'status and importance' - risk and impact of the risk, if you'd prefer - or your customers', regulatory and management expectations, perhaps.
Spot on, Andy. It is AMAZING how so many organizations fail to pay attention to this requirement of the standard, and "waste" internal audit resources in non-critical, mature, stable, inconsequential, etc. processes.

Even the ISO TC 176 advises CB auditors to assess the effectiveness of internal audits through that perspective: Auditing the Effectiveness of the Internal Audit
 

jkuil

Quite Involved in Discussions
#5
Fair or not, if you have an audit frequency of less than once a year, you may expect questions by NBs auditors. You have to present results of performance indicators that the subprocess is effective. Last audit of the subproces must also show that it meets the requirements. Lastly, the subproces may not have been significantly changed. If it is, it needs to be picked up in the anual definition of the audit schedule.
 

Ajit Basrur

Staff member
Admin
#6
Great responses so far.

My :2cents: is not to see the audit frequency just as a number but do a Risk analysis of your QMS and see if its okay to do it once a year / twice a year.
 

fialor

Involved In Discussions
#7
Cat amongst pigeons here...
I have a client who is looking to move their audit frequency as a minimum to once every 2 years due to resource constraints. And is unwilling to listen to why a risk approach is best for determining frequency and also why this might be an issue for its registrar/NB.

Any comments?
 

yodon

Staff member
Super Moderator
#8
Guessing they're doing a "big bang" type internal audit (complete audit of the system each time) and they probably see no added-value with internal audits? I think a better practice is more frequent, shorter-run, focused audits (using risk to guide and taking the process approach, of course).

Do they have / want management reviews every 2 years? In general, do they see any value in the QMS at all?

An auditor may not directly cite a 2-year frequency as a nonconformity but that may be compelled to dig really deep and if they find issues (that you should have found), they're likely to say the internal audit program is ineffective.
 

Ajit Basrur

Staff member
Admin
#9
Cat amongst pigeons here...
I have a client who is looking to move their audit frequency as a minimum to once every 2 years due to resource constraints. And is unwilling to listen to why a risk approach is best for determining frequency and also why this might be an issue for its registrar/NB.

Any comments?
Sorry did not understand your question - do you see an issue with your client auditing your organization to a 2-year frequency?
 
#10
Hello-

I'm an auditor for a class II MedDev 13485-certified firm. For the last couple of years (we became certified 2 years ago) I've been including every sub-system (as defined by 13485) in the audit schedule and specifically auditing each one a minimum of once per year. However, when I was recently reading over the standard I noticed that there is no specific requirement in the standard stating that this frequency of audit is necessary.

Does anyone know what ISO's expectations are in this regard? I'm considering spacing out the frequency of some of the subsystems in which my company has a better showing to once every couple of years, leaving me more time to focus on higher areas of risk - but I don't want to jeopardize our certification by not sticking to the "once per year" regimen...

thanks
If that helps, we've switched to a "risk-based" internal audit planning when transitioning to ISO13485:2016 (in 2018). Our high-risk processes are audited each year, other processes every two years. The lead auditor was a bit surprised at that time, but quickly agreed on this and emphasized it as a "smart" implementation of a risk based QMS in his conclusions (to be honest, he is one of the best auditor we ever had). Of course, your planning can be organized differently in cases of changes or particular situations (for example, in preparation of our first MDSAP audit, we added audits to the schedule).
 
Thread starter Similar threads Forum Replies Date
A ASL requirement when the supplier is certified for ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
C ISO 13485 Requirement in Australia/NZ for class 1? ISO 13485:2016 - Medical Device Quality Management Systems 1
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
A Requirement to Identify Changes to record in ISO 13485 : 2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
R ISO 13485:2016 - Quality Objectives Regulatory Requirement Examples ISO 13485:2016 - Medical Device Quality Management Systems 1
S Is a Quality Policy Statement a Requirement? (ISO 13485) ISO 13485:2016 - Medical Device Quality Management Systems 7
T Attribute vs Variable Inspection Data ISO 13485 Requirement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
G Rework requirement in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
R ISO 13485 vs FDA Requirement question about when ISO 13485 Certification is Required ISO 13485:2016 - Medical Device Quality Management Systems 4
I Does ISO 13485 have a Periodic Document Review Requirement? ISO 13485:2016 - Medical Device Quality Management Systems 7
R ISO 13485 Clause 4.2.1 - Documentation Requirement question ISO 13485:2016 - Medical Device Quality Management Systems 4
G ISO 13485 Requirement on labeling product in WIP (Work In Process) ISO 13485:2016 - Medical Device Quality Management Systems 4
R Is there an ISO 13485 requirement to solicit Customer Feedback? Customer Complaints 5
D Is Process Mapping an ISO 13485 Requirement? Process Maps, Process Mapping and Turtle Diagrams 4
T ISO 13485 Documented Data Protection Procedure Requirement ISO 13485:2016 - Medical Device Quality Management Systems 3
H Material Non-conformance Requirement - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 8
Q ISO 13485 Quality Manual Requirement ISO 13485:2016 - Medical Device Quality Management Systems 2
M Engineering Drawing Number Procedure Requirement - ISO 13485:2003 4.2.1 d)? Document Control Systems, Procedures, Forms and Templates 3
G Advisory Notices - What is the Requirement in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
R Requirement to be registered to ISO 13485 by the end of 2006? ISO 13485:2016 - Medical Device Quality Management Systems 3
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
D ISO 13485 scope (implantable) - Polymers for dental application EU Medical Device Regulations 9
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
A ISO 13485 procedure change and reflect to legacy manufacture items ISO 13485:2016 - Medical Device Quality Management Systems 2
D ISO 13485 & CE Certification for Surgical Gloves CE Marking (Conformité Européene) / CB Scheme 0
S Inventory Listing and ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 Certification Scope ISO 13485:2016 - Medical Device Quality Management Systems 2
D Reports under change management | ISO 13485:2016 & ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 3
M Scope for ISO 13485 Certification of a Translation Service Provider ISO 13485:2016 - Medical Device Quality Management Systems 17
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
A ISO 13485 Certification for Resin Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 4
A ISO 13485 Sterilization Clause Applicability ISO 13485:2016 - Medical Device Quality Management Systems 7
K ISO 13485 and compliance of electronic signature ISO 13485:2016 - Medical Device Quality Management Systems 5
T ISO 13485 - Assembly instructions written vs. online ISO 13485:2016 - Medical Device Quality Management Systems 5
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
N 93/42/EEC certification without ISO 13485 EU Medical Device Regulations 3
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
A ISO 13485 for Class 1 Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 7
0 ISO 13485:2016 Chapter 8 Integration of the subsections ISO 13485:2016 - Medical Device Quality Management Systems 3
M Change in Constitution / Ownership of firm -------ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
E ISO 13485 QMS certification as a Supplier ISO 13485:2016 - Medical Device Quality Management Systems 8
T ISO 13485:2016 Clauses related to process matrix ISO 13485:2016 - Medical Device Quality Management Systems 3
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
J Implementing an ISO 13485 QMS Software ISO 13485:2016 - Medical Device Quality Management Systems 6
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
J New Job Position - Achieving ISO 13485 Certification ISO 13485:2016 - Medical Device Quality Management Systems 5
A Scope of ISO 13485 certificate ISO 13485:2016 - Medical Device Quality Management Systems 1

Similar threads

Top Bottom