Hello Maude,
As you can imagine there are many ways an effective internal audit programme can be established and implemented, which should be tailored and helpful for your organisation. As an example, depending on size of the company sometimes it is more effective to have these performed by external company or to have a couple audits over a few months or "smaller" audits more frequent. The first thing I would recommend is establishing a risk-based approach to your internal audit programme. This means when you are routinely performing audits, when there are processes which are well-established, working well, done routinely, such as document control, these may not need to be done so often. Whereas, when there are processes which a new implemented, issues creep up, or frequent change in personnel like say validation programme, you would do this more often. There is such an emphasis in the industry to perform audits once a year, where it ends up being just a paper-work exercise and filling in the checklist. Internal audits should be done to help companies find issues, problems, and correct perform someone else finds it like an external regulatory investigator. Why spend hours auditing document control when year and year no issues are found?
The second item I would recommend is using a process-based approach to your internal audits instead of elements or chapters or even sections of the regulations. As an example, the new EU MDR/IVDR are written in a way which facilitates processes within a quality management system. MDSAP is also written with a process based approach, though sadly many still only go through as a checklist. Conducting your internal audits following processes helps see how these are connected, linked, and when issues are found in areas how these cascade through the activities, i.e. when an adverse event happens how does this trigger corrective action, need review of risk analysis, affect design or manufacturing changes, etc. You will also find conducting effective process-based audits will help cover all of those regulatory requirements and compliance needs which medical device companies continually strive. Also if you have good process based audits this will be more effective in covering all those regulatory requirements from ISO 13485, MDSAP, USA FDA, EU MDR.
You are on the right path with a nice pool of internal auditors as well because this will help keep fresh pair of eyes on the processes and really helps educate people in the regulatory requirements, internal workings of the company, and how to respond during external audits. Of course, people need to have the correct competencies and training in the areas reviewing, but a well-rounded audit team can also bring good effectiveness in reviewing processes for regulatory requirements. Ultimately if you are ISO 13485 certified, CE Marking products (Notified Body audits), and MDSAP certified (AO audits), you need to meet all of the regulatory requirements first and foremost. Though I have the opinion if you use a process-based audit, risk-based audit, with well trained people not only can you meet the regulatory requirements, but even find ways to make internal processes better and more efficient. This does take time and does take resources. Unfortunately, internal audits are one of those areas often gets cut or not done because of other priorities or needs.
------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
------------------------------
Original Message:
Sent: 23-Oct-2020 14:47
From: Dan O'Leary
Subject: Internal Audit Programm
I'm a consultant and do internal audits for a few companies.
I don't audit to the standard or regulation, I audit to the implementing procedures and work instructions. That avoids the duplication.
I make the assumption, not always true, that the requirements from the standard or regulation are in the procedure or work instruction. This should be part of document control process to prevent issuing incorrect documents.
(As an aside, I've reviewed or audited medical device risk management in thirty or so companies, and I've never seen a company implement the standard as written.)
If I find a gap between the procedure and the regulation, I write the nonconformance against the procedure. In many cases the people who perform daily work follow the procedure, a good thing, even though it may have a gap, a bad thing.
Do not write audit nonconformances against MDSAP. It is not a requirement, but a big audit checklist looking a country specific requirements.
Another problem is that some companies write new procedures for each standard, to correct a nonconformance, etc. This creates overlapping and contradictory requirements. I try to find them in my audits.
Internal auditor competency is a different issue. You should look at that section of ISO 19011:2018.
I distinguish between jobs and roles. A job is typical daily work (incoming inspection) and a role is a collateral duty (internal quality auditor). For both of them I write position descriptions using the elements of competency in ISO 13485:2016, 6.2, first paragraph (and QSR if you sell into the US).
If your company has a performance evaluation system, be sure it includes an individual's role as an internal quality auditor. Also, this is a good opportunity for development activities.
P.S. No problem with your English
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
Original Message:
Sent: 23-Oct-2020 13:43
From: Maude Thibault
Subject: Internal Audit Programm
Hi RAPS Members,
I'd like to know how do you plan your internal audit calendar with consideration of each process and each standard / regulation that needs to be audited. We have to audit on ISO 13485, MDSAP and MDR. Of course capability to demonstrate compliance of the program is required but, what are your best practices to remain efficient, work with pool of internal auditors with different competencies and, prevent auditing a the same process/activity as many of time as the number of regulations that requires it (hope my phrasing is correct; not my primary language). Any feedback will be greatly appreciated.
Thanks a bunch!
------------------------------
Maude Thibault
Regulatory Affairs
L'Islet QC
Canada
------------------------------