The Road To ISO 13485 Certification: Tips For Effective Audits
By Joanne Rupprecht, Boulder iQ
We all know a moving target is hardest to hit. Whether it’s a high-speed tennis ball or an audit, keeping your eye on the target at all times is the key to success.
Even the mention of the term “audit” can send people cowering under their desks. Indeed, the variety of quality and safety standards and requirements medical device manufacturers must adhere to can be overwhelming, especially if operations are international as well as domestic. But there are ways to prepare for and conduct an audit that will keep you out from under the desk and produce positive results.
Understanding ISO 13485
ISO 13485 is one of many International Organization for Standardization (ISO) standards, and it is specific to the expectations and requirements for a compliant medical device quality management system in the medical device industry. Against that background, the next step is to understand the base requirements of the ISO 13485 standard and its relationship to 21 CFR Part 820, the Quality System Regulation (QSR), which codifies the expectations and requirements of the FDA. The QSR is the regulation that ensures all medical devices created and developed within the United States are safe and follow satisfactory quality processes throughout their development.
Currently, compliance with ISO 13485 is voluntary, while compliance with the QSR is not. In fact, medical devices are considered “adulterated” if the associated quality management system (QMS) is not compliant with the QSR. Yet, the significance of ISO 13485 certification becomes more apparent given that compliance with that standard can serve as evidence of a compliant QMS during FDA audits. And, in early 2022, the FDA proposed an amendment to the QSR that will incorporate ISO 13485. While this will likely not take place until at least 2024, the movement is an indication that ISO 13485 audits will become more common.
The Importance Of ISO 13485 Audits
When a notified body conducts an audit for purposes of ISO 13485 certification, the intent — to the surprise of some people — is not to find fault but rather to assess a device manufacturer’s processes against the ISO 13485 standard and identify areas for improvement.
Still, heading into an audit can be nerve-wracking. No one wants to fall short of expectations — their own, their company’s, and those of the notified body requesting the audit. Common concerns when going into an ISO 13485 audit include:
- inadequate preparation of facility and staff,
- inability to answer the auditor’s questions,
- regretting an answer provided to an auditor’s question,
- lack of complete documentation available upon request, and
- an out-of-compliance finding.
In truth, some of these concerns are well-founded. The most common ISO 13485 audit observations include non-adherence to policies, processes, and procedures and inadequate or inaccurate records. The best way to allay concerns and increase chances of avoiding those out-of-compliance findings is to prepare, prepare, prepare.
- Know your stuff! Understanding the standard is essential for any medical device manufacturer. Buy the standard, and make sure it’s the latest version, including all amendments. Get to know it well.
- Become familiar with the resources offered by the ISO’s Committee on Conformity Assessment.
- Implement the standard in internal processes and procedures. Working with ISO 13485 is really all about designing, implementing, maintaining, and improving the quality management system of your organization around its requirements. While there’s no doubt that notice of an audit can elevate these actions, implementation should be an ongoing process.
Organizations should, as best practice, always be preparing for an audit through good documentation practices (GDPs). From an audit perspective, GDPs allow:
- transfer of consistent information among internal and external parties,
- auditors to understand a project’s history, assess the performance of obligations, and verify compliance,
- auditors to reverse-engineer any steps in the device’s development, and understand the reasoning,
- more efficient personnel training and cross-training, and
- creation of internal standards upon which continual improvements can build.
Each manufacturer must apply good judgment to determine how best to implement GDPs, but one basic rule applies: When it comes to an audit, if what you are doing isn’t written down, it doesn’t exist. To the extent it is written, but not done, it is documenting your noncompliance.
- Educate. Each person in a medical device manufacturing facility needs to understand the expectations of ISO 13485 (and the QSR). Preparing for an audit is everyone’s job, and each person needs to incorporate the standard into their day-to-day activities, processes, and procedures. Taking these steps, along with proactive education and training on ISO 13485 expectations, is essential in preparing for an audit.
Tips: Upon Scheduling Of An Audit
- Obtain the audit plan. After the audit has been scheduled, request a detailed audit plan from the notified body conducting the audit. This plan serves as a road map for what documentation and records will be reviewed in the audit. It should include the audit’s scope, materials requested in advance, and a request to access the site. The plan also should address any previous nonconformities or opportunities for improvement, providing a guide for anyone working on those improvements to complete their work. Typically, a company will receive the audit plan several weeks — or even months — in advance of the requested time period for the audit.
- Distribute the audit plan. An audit is a team sport. Establish open communication channels. Make sure each member of the team feels that they are in a safe environment and can disclose and address any issues at any time. If each person understands the goal and scope of the audit, they will be ready when the time comes for assessment of the processes, procedures, and timelines for which they are responsible.
- Review one of the many ISO 13485 audit checklists available online. Even better, request one directly from the notified body conducting the audit, and review it thoroughly with your internal audit team. Alternatively, you can create your own checklist by reviewing the ISO 13485 standard itself.
- Organize, declutter, clean. Allow adequate time to clean and organize all work spaces and files. Get all records in order so that you can respond to questions and requests quickly and easily, in a focused manner. This will help avoid “audit creep” into areas outside the stated scope.
Tips: During The Audit
- Rest up. It may sound basic, but make sure everyone is well-rested and well-fed before beginning the audit. The most valuable components in an ISO 13485 audit are good attitudes, open eyes, and readiness to respond.
- Request permission to record the audit interactions. If not allowed, designate a good note-taker. Also designate an audit lead to check in with the auditor often to make sure they have everything they need.
- Make sure employees are ready and available for any requested interviews. Keep a list of subject matter experts the auditor can speak with on specific topics. Each employee should be prepared to retrieve applicable records and to demonstrate processes and procedures pertinent to their job, if asked.
- Address questions succinctly. Respond to any questions with the detail necessary — no more. Do not offer or prepare information unless it is specifically requested. It is often in an awkward silence that auditors obtain information that is not always to the benefit of the organization. If you don’t know the answer, be honest and say so. Find the person who can answer the question or, if necessary, explain that you don’t have the information but will obtain it. A deferred answer is better than a wrong answer.
- Exercise caution in questioning or pushing back on a potential finding. Adopt an attitude of openness, transparency, and learning. Constructive dialogue can result if all parties can walk away feeling heard and understood. Sometimes, that in itself is a victory.
- Look forward to the closing meeting. It represents an important learning opportunity. You will learn that you have met expectations or have fallen short. Either way, the information you garner will improve future operations.
Audit Interview Do’s And Don’ts
- Be polite, but limit casual conversation.
- Answer questions completely, directly, and honestly with supportable facts. Steer clear of opinion.
- Respectfully disagree when appropriate; ask for clarification.
- Offer responses of “I do not know” or “I do not remember,” if appropriate, followed with when you will have the information or a referral to the correct subject matter expert.
- Keep an inventory and a copy of anything you provide the auditor.
- Show only one record at a time, if possible.
- Correct any errors in speaking as soon as possible to avoid miscommunication.
- Note any questions you were uncomfortable answering or would have answered differently in retrospect.
- Conduct a short daily internal debrief during the audit.
- Expect what you say to be documented. There is no such thing as “off the record” in an audit.
- Misrepresent the truth or leave out important facts.
- Correct a colleague in front of the auditor.
- Correct documents when reviewing them with the auditor.
- Guess or make up an answer.
- Volunteer more information than necessary.
- Feel like you have to fill dead air.
- Question the auditor’s authority, argue, or raise your voice.
- Agree to or volunteer to change a policy or procedure during the audit.
- Refer to uncontrolled documents.
Bring The Lessons Forward
If you learn that you have any non-conformance (minor or major) findings or opportunities for improvement, assess their risk and address them accordingly. Take the corrective actions necessary and follow up as needed to close out the findings with the auditor. Follow-up determines the actual success of the audit.
With proper preparation, an ISO 13485 audit can serve its intended purpose of holding medical device manufacturers to high standards of quality for the benefit of the organization, the industry, and, most importantly, consumers.
About The Author:
Joanne Rupprecht is senior vice president, regulatory and quality, at Boulder iQ. Proficient in FDA and international regulatory affairs and quality systems, Rupprecht’s expertise includes the implementation of quality management systems and regulatory strategies, submissions, and negotiations for medical devices. She also serves as an adjunct professor in the master’s program in biomedical sciences and biotechnology at the University of Colorado Denver, Anschutz Medical Campus. Rupprecht received a B.S. from the University of Illinois, and a J.D. from the University of Denver Sturm College of Law. She can be reached at Jo.Rupprecht@boulderiq.com or on LinkedIn.