Need Advice: Regulatory Requirements Audits

[GStough]

I'm looking for advice on how to do regulatory requirements audits on our products, some of which are PPE and some are medical devices. For these regulatory audits, I have basically 5 regulatory documents to audit against - ISO 13485:2003, 21 CFR 820, PPED, MDD, & CMDR.

If there is anyone out there who has been in a similar situation and can offer advice, I would certainly appreciate it. I have some questions about how one goes about doing these regulatory requirements audits:

- Does each product (PPE and medical device) have to be audited each year, or can we choose one product one year and then rotate products for subsequent years until all products have been audited?

- How does one link common requirements found in ISO 13485 & 21 CFR 820 to those also required in CMDR and MDD? As I understand it, some of the 13485 requirements overlap the CMDR, MDD and 21 CFR 820, so I would need some method of tying together those requirements when the 13485/21 CFR 820 requirements are covered in our regular internal audits, wouldn't I?

This sounds complicated, I know, but I would certainly appreciate any help anyone can offer - even if it is just a web site or link or whatever.... If more info is needed, let me know and I'll try to be more specific.

Did I mention that I have to do this regulatory requirements audit by the end of this year??

TIA...

 

[Coury Ferguson]

Can anyone help Gidget here?

 

[MIREGMGR]

- Does each product (PPE and medical device) have to be audited each year, or can we choose one product one year and then rotate products for subsequent years until all products have been audited?

We make a lot of medical devices under 820/13485/MDD/CMDR, and also a few PPEs. If either of those approaches you outline is required of us, I've totally missed the boat on those requirements, and my employer is in big trouble.

We audit our general operations in relation to our QMS, including monthly internal audits on a one year rolling cycle, but we don't audit individual products per se. Several of our OEM customers audit us similarly on a one-year schedule, though that's supplemented with frequent regulatory contact in the course of regular operations.

We have several thousand active products, if we count contract manufacturing relationships for which we have some degree of regulatory responsibility. It would take us a long time to cycle through our entire product group if we audited one product a year...or even one product a day.

 

[GStough]

We make a lot of medical devices under 820/13485/MDD/CMDR, and also a few PPEs. If either of those approaches you outline is required of us, I've totally missed the boat on those requirements, and my employer is in big trouble.

We audit our general operations in relation to our QMS, including monthly internal audits on a one year rolling cycle, but we don't audit individual products per se. Several of our OEM customers audit us similarly on a one-year schedule, though that's supplemented with frequent regulatory contact in the course of regular operations.

We have several thousand active products, if we count contract manufacturing relationships for which we have some degree of regulatory responsibility. It would take us a long time to cycle through our entire product group if we audited one product a year...or even one product a day.

Thanks for the reply, MIREGMGR. Actually, the opposite is true of my company. The majority of our products are PPE, while a small percentage is medical devices (and class I at that). And I wouldn't say that there are "a lot" of products that would fall into this category at this time. From what I understand of the explanation given by our CB, one regulatory requirements audit per year would meet the requirement. Although it probably could be covered during the course of our internal audits throughout the year, it would probably be easier to keep it separate from the usual internal audits and handle it differently.

My boss just thought that maybe someone here has been through a similar situation, so I thought I would ask. Thanks for the replies so far.

 

[BradM]

We make a lot of medical devices under 820/13485/MDD/CMDR, and also a few PPEs. If either of those approaches you outline is required of us, I've totally missed the boat on those requirements, and my employer is in big trouble.

We audit our general operations in relation to our QMS, including monthly internal audits on a one year rolling cycle, but we don't audit individual products per se. Several of our OEM customers audit us similarly on a one-year schedule, though that's supplemented with frequent regulatory contact in the course of regular operations.

We have several thousand active products, if we count contract manufacturing relationships for which we have some degree of regulatory responsibility. It would take us a long time to cycle through our entire product group if we audited one product a year...or even one product a day.

Thanks for the succinct, but informative write-up. Your approach is highly similar to the facility(ies) I'm involved with. The audits are process-based, with the multiple requirement woven in to the QMS. There are some corporate auditors who perform desk audits once in a while to verify the 13485 and other requirements are part of the process.

 

[Sidney Vianna]

From what I understand of the explanation given by our CB, one regulatory requirements audit per year would meet the requirement.

Gidget, what exactly is the requirement? Can you please identify it, cut and paste it here? It might be one of those situations where people read more into it than the actual intent of the requirement.

 

[Weiner Dog]

It seems that the administrative regulatory side (such as 21 CFR 801, 807, MDD) sometimes gets forgotten to be audited, in that internal audits mostly concentrate on quality issues (such as 21 CFR 820 or ISO 13485). However, the external auditor doesn't forget the regulatory side- with this work mostly done before the exteral audit visit.