Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hi everyone, 

I would greatly appreciate your insights on this matter.

We have an internal audit schedule that was originally devised by our former QA manager, who left the company a year ago. This schedule prioritizes different areas and processes within our organization based on their perceived risk levels.

The schedule is organized as follows:

1. Production: High Risk
2. Management: Medium Risk
3. Design Control: Low Risk
4. Customer Process: Low Risk
5. Infrastructure and Training: High Risk
6. Purchasing: High Risk
7. Monitoring and Measurement: Medium Risk

According to this schedule, we are supposed to audit high-risk processes first, followed by medium-risk processes, and finally low-risk processes.

My current task is to draft a risk assessment statement (or a similar document) that justifies how these risk levels were assigned to each process. Unfortunately, I've encountered a challenge because this information is not explicitly outlined in ourQMS documents. Moreover, I'm unsure if the risk levels assigned to each process are accurate.

We are a small R&D and manufacturing company for RUO products. We hold an ISO-13485 certification.

Any guidance or insights you can provide would be immensely helpful.

Thanks. 

The easiest way, in my opinion, is to start fresh. Don't use the previous assessment.

I infer you would like to keep the current high, medium, and low categories.

Start by using the MDSAP scoring system. It divides the clauses of ISO 13485:2016 into two categories: indirect and direct. A nonconformance in an indirect clause gets 1 point and a nonconformance in a direct clause gets 3 points. Map your processes to the clauses in ISO 13485:2016. An indirect process starts at Low Risk and a Direct Process starts at Medium Risk.

Then look at the previous two years of internal audit nonconformances for each process. If a process has a nonconformance in the same area in each of the previous two years, then the risk level goes up: low to medium or medium to high. This is similar to the MDSAP escalation for repeats.

You could put in other factors such as second or third party audit nonconformances. To keep it simple, just fold them into the internal audits for scoring.

This gives you an objective system that is easy to understand, explain to others, and administer.

On a different note, consider dropping the who concept. Instead, treat all processes the same, no risk levels. Schedule internal audits "smoothly" throughout the year. Then, following ISO 13485:2016, 8.4.2, for audit nonconformances schedule a follow-up audit for the verification of the actions taken.<o:p></o:p>

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 21-Sep-2023 06:26
From: Anonymous Member
Subject: Internal audit schedule

This message was posted by a user wishing to remain anonymous

Hi everyone, 

I would greatly appreciate your insights on this matter.

We have an internal audit schedule that was originally devised by our former QA manager, who left the company a year ago. This schedule prioritizes different areas and processes within our organization based on their perceived risk levels.

The schedule is organized as follows:

1. Production: High Risk
2. Management: Medium Risk
3. Design Control: Low Risk
4. Customer Process: Low Risk
5. Infrastructure and Training: High Risk
6. Purchasing: High Risk
7. Monitoring and Measurement: Medium Risk

According to this schedule, we are supposed to audit high-risk processes first, followed by medium-risk processes, and finally low-risk processes.

My current task is to draft a risk assessment statement (or a similar document) that justifies how these risk levels were assigned to each process. Unfortunately, I've encountered a challenge because this information is not explicitly outlined in ourQMS documents. Moreover, I'm unsure if the risk levels assigned to each process are accurate.

We are a small R&D and manufacturing company for RUO products. We hold an ISO-13485 certification.

Any guidance or insights you can provide would be immensely helpful.

Thanks. 

Good day Anon,

Using a risk-based approach for internal audits is a good and proper way to manage them, focusing on areas of concern or issues over periods of time.  Just note, this concept is still "new" to many people even though it has been in ISO 19011 for quite some time now and you will find auditors want to see a "normal" internal audit schedule covering all of the areas in a one year.  Having a well-established, clear, and understandable internal audit programme using risk-based approach is really important.

Which leads to your conundrum.  You are absolutely correct this risk level needs to be clearly defined: What is High, Medium, and Low?  How is the risk examined for these processes?  What is the criteria for assigning a risk level to a process or sub-processes?  This does not have to be complicated either if the company is a small R&D and manufacturing company.  The criteria can be something like number of internal audit findings, number of external audit findings, number of comments/improvements, criticality of the process (design and development, complaint handling), and/or maturity of the process.  This is an on-going basis, so when establishing the internal audit programme or schedule for the upcoming months should re-apply the risk approach to the processes.  Also this does not have to be a once a year or once every other year activity, it can be no-going - I know novel concept.  Again just keep in mind, there is still lack of understanding and acceptance in this area, so make sure it is well defined.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 21-Sep-2023 09:34
From: Dan O'Leary
Subject: Internal audit schedule

The easiest way, in my opinion, is to start fresh. Don't use the previous assessment.

I infer you would like to keep the current high, medium, and low categories.

Start by using the MDSAP scoring system. It divides the clauses of ISO 13485:2016 into two categories: indirect and direct. A nonconformance in an indirect clause gets 1 point and a nonconformance in a direct clause gets 3 points. Map your processes to the clauses in ISO 13485:2016. An indirect process starts at Low Risk and a Direct Process starts at Medium Risk.

Then look at the previous two years of internal audit nonconformances for each process. If a process has a nonconformance in the same area in each of the previous two years, then the risk level goes up: low to medium or medium to high. This is similar to the MDSAP escalation for repeats.

You could put in other factors such as second or third party audit nonconformances. To keep it simple, just fold them into the internal audits for scoring.

This gives you an objective system that is easy to understand, explain to others, and administer.

On a different note, consider dropping the who concept. Instead, treat all processes the same, no risk levels. Schedule internal audits "smoothly" throughout the year. Then, following ISO 13485:2016, 8.4.2, for audit nonconformances schedule a follow-up audit for the verification of the actions taken.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States

Original Message:
Sent: 21-Sep-2023 06:26
From: Anonymous Member
Subject: Internal audit schedule

This message was posted by a user wishing to remain anonymous

Hi everyone, 

I would greatly appreciate your insights on this matter.

We have an internal audit schedule that was originally devised by our former QA manager, who left the company a year ago. This schedule prioritizes different areas and processes within our organization based on their perceived risk levels.

The schedule is organized as follows:

1. Production: High Risk
2. Management: Medium Risk
3. Design Control: Low Risk
4. Customer Process: Low Risk
5. Infrastructure and Training: High Risk
6. Purchasing: High Risk
7. Monitoring and Measurement: Medium Risk

According to this schedule, we are supposed to audit high-risk processes first, followed by medium-risk processes, and finally low-risk processes.

My current task is to draft a risk assessment statement (or a similar document) that justifies how these risk levels were assigned to each process. Unfortunately, I've encountered a challenge because this information is not explicitly outlined in ourQMS documents. Moreover, I'm unsure if the risk levels assigned to each process are accurate.

We are a small R&D and manufacturing company for RUO products. We hold an ISO-13485 certification.

Any guidance or insights you can provide would be immensely helpful.

Thanks.