Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

Hello,

I would recommend creating a cross-reference matrix (table) of all the relevant regulations. This can be a standalone document or an appendix to your Quality manual. Then all your SOPs, including your internal audit SOP, can reference that document instead of all them individually needing to reference all of the standards. In your internal auditor training, explain that the scope of internal audits encompasses all the relevant standards in the cross-reference matrix, not just ISO and 21 CFR.

Best,

Hiral

------------------------------
Hiral Dutia
Norwood MA
United States
------------------------------

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

My recommend is that you don't do anything based on the comment of an external auditor. This is a problem I see in a lot of companies. An external auditor makes a recommendation or expresses an expectation and the company reacts by adding something to QMS. Because it is not a requirement, it doesn't add value. The next auditor does the same thing, and pretty soon the QMS is full of "extra" stuff that doesn't add value. Moreover, it makes change management more difficult.

I've inferred that you do have an adequate process to ensure your procedures satisfy the requirements from these various markets and that your internal quality program is effective in ensure your processes meet the requirements.

In my opinion, there is nothing to change. (If it ain't broke, don't fix it.)

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

Good day,

I would highly suggest creating an Audit Plan as Hiral mentioned similar to a traceability matrix having all of the regulatory requirements, i.e. Brazil, Europe.  This can be as detailed or general as possible, really depends on quality system and type of device.  In the "good 'ole days" the audit plan was the ISO 13485 elements listed all in a row with some identified months to conduct the audit.  Under ISO 13485:2016 and other regulations like EU MDR there needs to be a process approach, so using a traceability matrix is highly recommended.

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 27-Sep-2019 12:18
From: Dan O'Leary
Subject: Internal Audit Process Requirements

My recommend is that you don't do anything based on the comment of an external auditor. This is a problem I see in a lot of companies. An external auditor makes a recommendation or expresses an expectation and the company reacts by adding something to QMS. Because it is not a requirement, it doesn't add value. The next auditor does the same thing, and pretty soon the QMS is full of "extra" stuff that doesn't add value. Moreover, it makes change management more difficult.

I've inferred that you do have an adequate process to ensure your procedures satisfy the requirements from these various markets and that your internal quality program is effective in ensure your processes meet the requirements.

In my opinion, there is nothing to change. (If it ain't broke, don't fix it.)

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

I tend to agree more with Dan than Richard or Hiral on this. I would remove the references to the regulatory requirements from SOP as well. This is a carry-over from the US wanting the reference to the QS Reg (since they don't recognize ISO 13485). However, it is very clear in ISO 13485:2016 that you must meet the applicable regulatory requirements for conformity to the standard and most times there is the presumed compliance with regulations. If you add some, where do you stop? Do we really have to list each country requirements separately? Keep in mind that an external auditor often has been trained (and may have a checklist for) some specific audit requirements--therefore they are looking to see that you audit those requirements (it is easy to check if you are doing something they know). This leads to as Dan said the "extra stuff" in your QMS. I call this the "growing requirements phenomenon". Just like in product development, you have to decide what inputs to take and which ones to leave aside as you determine the design specification for your QMS. This design specification can be your Quality Manual and your implementation is to incorporate those things that are different (e.g., read the Z Annexes to see what's not covered). Going to all the work of a cross-reference seems overly burdensome. On the other hand,...if you create such a matrix, please share with the community--helps all of us.

------------------------------
Regards,
Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
Becker MN
United States
------------------------------

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

Please note that if you are claiming compliance to MDSAP and sell into all 5 of the MDSAP countries (US, Canada, Brazil, Japan, Australia), you do need to cover all of the regulations in your Quality System, also be able to demonstrate that your internal audit process audits against all of the applicable regulations. That is most easily accomplished, in my opinion, by a cross reference matrix to which SOPs can refer. While you can justify that certain clauses of ISO 13485:2016 are equivalent to the country-specific clauses, there are some country-specific clauses (regulations) that are not covered by ISO/FDA and do need to be audited against specifically. If you cannot demonstrate that your QMS does indeed cover the applicable country regulations, audit findings can be issued for this.

------------------------------
Hiral Dutia
Norwood MA
United States
------------------------------

Original Message:
Sent: 01-Oct-2019 11:27
From: Mark Swanson
Subject: Internal Audit Process Requirements

I tend to agree more with Dan than Richard or Hiral on this. I would remove the references to the regulatory requirements from SOP as well. This is a carry-over from the US wanting the reference to the QS Reg (since they don't recognize ISO 13485). However, it is very clear in ISO 13485:2016 that you must meet the applicable regulatory requirements for conformity to the standard and most times there is the presumed compliance with regulations. If you add some, where do you stop? Do we really have to list each country requirements separately? Keep in mind that an external auditor often has been trained (and may have a checklist for) some specific audit requirements--therefore they are looking to see that you audit those requirements (it is easy to check if you are doing something they know). This leads to as Dan said the "extra stuff" in your QMS. I call this the "growing requirements phenomenon". Just like in product development, you have to decide what inputs to take and which ones to leave aside as you determine the design specification for your QMS. This design specification can be your Quality Manual and your implementation is to incorporate those things that are different (e.g., read the Z Annexes to see what's not covered). Going to all the work of a cross-reference seems overly burdensome. On the other hand,...if you create such a matrix, please share with the community--helps all of us.

------------------------------
Regards,
Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
Becker MN
United States

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!

​Numerous means are available to organizations in demonstrating compliance to global regulatory requirements for internal auditing of the quality system. Of course as Richard has pointed out, the most appropriate means would take into consideration the organization's size and structure, product range and complexity, etc. but the aim would be to develop an auditing process that is 'necessary and sufficient' - or to use FDA terminology, the 'least burdensome' approach!

From my experience, the following elements would allow compliance to ISO 13485:2016 and MDSAP audit requirements:

1. Quality Manual structured to align with ISO 13485:2016 clauses;
2. Quality System broken down into a manageable number of sub-systems (e.g. Management Responsibility/ Design Controls/ Purchasing Controls/ Document & Change Control/ etc) to enable periodic auditing of each sub-system per the audit plan/ schedule;
3. Matrix within the Quality Manual showing the 'sequence and interactions' between the sub-systems (to ensure all inputs and outputs across the processes are addressed, best addressed by process mapping);
4. Specific MDSAP requirements, in addition to ISO 13485 requirements, captured by country (Australia, Brazil, Canada, Japan and USA), under the relevant sub-system – this serves as the audit template, and allows the appropriate SOPs be listed to demonstrate all requirement are addressed.

In my opinion there is no necessity for every SOP to spell out the country-specific MDSAP requirements, so long as the requirements are included and addressed.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand
------------------------------

Original Message:
Sent: 01-Oct-2019 15:08
From: Hiral Dutia
Subject: Internal Audit Process Requirements

Please note that if you are claiming compliance to MDSAP and sell into all 5 of the MDSAP countries (US, Canada, Brazil, Japan, Australia), you do need to cover all of the regulations in your Quality System, also be able to demonstrate that your internal audit process audits against all of the applicable regulations. That is most easily accomplished, in my opinion, by a cross reference matrix to which SOPs can refer. While you can justify that certain clauses of ISO 13485:2016 are equivalent to the country-specific clauses, there are some country-specific clauses (regulations) that are not covered by ISO/FDA and do need to be audited against specifically. If you cannot demonstrate that your QMS does indeed cover the applicable country regulations, audit findings can be issued for this.

------------------------------
Hiral Dutia
Norwood MA
United States

Original Message:
Sent: 01-Oct-2019 11:27
From: Mark Swanson
Subject: Internal Audit Process Requirements

I tend to agree more with Dan than Richard or Hiral on this. I would remove the references to the regulatory requirements from SOP as well. This is a carry-over from the US wanting the reference to the QS Reg (since they don't recognize ISO 13485). However, it is very clear in ISO 13485:2016 that you must meet the applicable regulatory requirements for conformity to the standard and most times there is the presumed compliance with regulations. If you add some, where do you stop? Do we really have to list each country requirements separately? Keep in mind that an external auditor often has been trained (and may have a checklist for) some specific audit requirements--therefore they are looking to see that you audit those requirements (it is easy to check if you are doing something they know). This leads to as Dan said the "extra stuff" in your QMS. I call this the "growing requirements phenomenon". Just like in product development, you have to decide what inputs to take and which ones to leave aside as you determine the design specification for your QMS. This design specification can be your Quality Manual and your implementation is to incorporate those things that are different (e.g., read the Z Annexes to see what's not covered). Going to all the work of a cross-reference seems overly burdensome. On the other hand,...if you create such a matrix, please share with the community--helps all of us.

------------------------------
Regards,
Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
Becker MN
United States

Original Message:
Sent: 26-Sep-2019 16:10
From: Anonymous Member
Subject: Internal Audit Process Requirements

This message was posted by a user wishing to remain anonymous

​Dear Members,

I would like to have your inputs on how you demonstrate that specific requirements from different markets are being audited internally through the processes. As an exemple, our Quality Manual is listing all the required standards and applicable regulatory requirements and, our SOPs do the same. Our Internal Audit planning is listing the applicable standards and regulations and our report template is listing ISO and 21 CFR but, a third party auditor was expecting to see a that specific item (annex V of MDD not to mention) was part of the audit on the related process. Did not resulted in a NC but, would like to ensure this will not come up again. What do you guys do or recommand?

Thanks a lot!