An ISO 13485 audit can make even the most seasoned medical device quality managers bite their nails. The standard includes 77 clauses, so there are a lot of opportunities to fall short.
Medical device manufacturers aren’t guaranteed recertification, either. Too many organizations fail their ISO 13485 audits because the quality team wasn’t careful to prepare with assessments. Recently, a Kentucky-based company made headlines for a failed audit. The company wasn’t following protocol for CAPA, complaint handling, acceptance activity, or purchasing controls.
Nevertheless, you don’t need to live in constant fear of an audit. With a solid ISO 13485 audit checklist, you’ll sleep well at night knowing your quality systems are up to standard.
The Best ISO 13485 Audit Checklists to Ensure Readiness
ISO 13485: 2016 requires Stage 1 and Stage 2 audits. The best ISO 13485 audit checklists can help you prepare for both stages or an internal audit prior to certification or recertification. Stage 1 and Stage 2 audits differ in duration, depth, and scope.
Stage 1 audits typically last one day. An ISO auditor from your certifying body will provide a report of positive and negative findings to determine whether your company is ready to proceed to stage 2.
Stage 2 audits typically last several days. This is a comprehensive evaluation of your organization’s compliance with ISO 13485:2016 standards. The auditor will review documentation, controls, internal audits and management review, and all relevant processes. The auditor may produce a list of non-conformances which have to be corrected before you can be certified or receive recertification.
ISO 13485 audits don’t technically result in a “pass” or “fail” grade. Your organization can only really fail if you ignore the auditor’s suggestions for fixing non-conformances. This would result in failing to get certified or losing your ISO 13485 certification. However, non-conformances can have a real impact on product quality, waste, and compliance. Preparing to pass an ISO audit with minimal recommendations is clearly a smart move.
The Best Checklists
The best checklists for ISO 13485 audits include free documents maintained by internationally recognized standards organizations and certifying bodies.
This checklist guides organizations through compliance with ISO 13485:2016 and MDD, the European Union’s Medical Device Directive. The MDD is a complex document with 23 standards for compliance and a unique certification pathway, and some minor differences from ISO. This can be particularly useful if you're trying to meet the May 2020 EU medical device directive deadline.
This DQS checklist is a printable PDF which includes 38 pages of questions so you can determine, in detail, potential areas for improvement. Each checklist item is clearly mapped to the corresponding component of the ISO standard. DQS is a Germany-based certifying body.
This planner and delta checklist is designed for clients to complete prior to on-site review from an ISO auditor. It includes highly detailed fields that can guide internal improvement efforts, including the ability to score your company on a scale of 1-10 and assign responsibility and completion dates.
This free, Microsoft Word-based resource also includes an Appendix which details the differences between ISO 13485:2016 and 13485:2003. The NSF-ISR is a US-based certification and standards entity.
This PDF checklist is designed to serve as a guideline for internal audit activities. The document contains room for observations and comments, and results--or internal corrective actions taken prior to a Stage 1 or 2 audit. ISO requirements that align with FDA QSR are highlighted in yellow for easy reference.
While this checklist offers many helpful features, it’s best used in conjunction with other resources since it’s designed for ISO 13485:2003 instead of the most recent version of the standard. Compliance Online is an online information portal with resources for quality practitioners.
This Microsoft Word document is a comprehensive preparation overview which was built for medical device manufacturers in Ireland to complete and submit to their auditor prior to on-site evaluations. NSAI is an Irish certifying body.
It contains fields for organizations to document their response and evidence for each component of the ISO 13485:2016 standard, and the auditor’s verification of the internal audit. This document is a comprehensive, in-depth guideline for internal audits and understanding how certifying auditors may review your quality management system.
RELATED READING: An ISO 13485 Risk Management Plan Example You Can Steal and Use
Beyond the Checklist: Preparing for an ISO Audit
An ISO audit shouldn’t be cause for losing sleep. Ideally, your organization should understand how your quality system stacks up against the standard for medical device manufacturers and opportunities for improvement. Checklists are high-value tools when they’re used on an ongoing basis to internally audit your QMS. They let you know what to expect.
Knowing what to expect is definitely a good thing when it comes to an inspection from an ISO or FDA auditor. You shouldn’t raise the alarm when an inspector walks on site and worry about how to disguise weaknesses in your QMS. Devoting the resources in advance to make sure you meet standards for quality management can ensure your quality management system is helping you operate efficiently and with minimal risk.
There is no public database of feedback that companies receive during an ISO audit. However, ISO 13485 has many areas of alignment with FDA QSR. Based on 483 observation data, you can identify which areas are the one companies struggle with and focus on common pitfalls.
Insufficient CAPA is the number one trigger for FDA citations in the medical device industry. Rely on ISO 8.5.2 (correction) and 8.5.3 (prevention) and the FDA’s own inspection guidelines to make sure your CAPA meets standards.
The second-most-common reason organizations received a 483 observation was due to a lack of standard procedures for complaint-handling or evidence that the procedures weren’t followed. Complaints are addressed in FDA CFR 820.198 and ISO 8.2.2.
Failure to create and follow a written procedure for the supply chain can mean non-compliance and supplier risks that compromise device quality.
Process validation is worth the investment the first time around to avoid potential ISO or FDA inspection or quality issues.
Your organization needs written procedures and systems for medical device reporting (MDR), including events and annual reports. This is detailed under FDA CFR 803.17 and ISO 13485:2016 guidance for records keeping.
RELATED READING: What is the Best ISO 13485 Quality Management System Software
Develop a Process for the Audit
Your efforts to prepare for your audit will be most effective if they follow a process, specifically a careful schedule for internal audit activities. You should perform an in-depth review of internal quality systems continually and avoid putting off internal audits until the last minute. You may choose to review three areas each month to spread out the workload, reviewing each system at least twice per year. A partial schedule is outlined below:
- Design: February, June, October
- Purchasing: March, July, November
- Training: April, August
- Quality Assurance: January, May, September
Focus on Upstream Quality
Medical device quality is a complex concept. That’s why ISO 13485:2016 has 77 sections that address every component of the device lifecycle, from design to process validation, sales, and complaint handling. Upstream quality (UQA) is a manufacturing concept which relates to “quality from the start,” or the idea that putting in proper effort in the early stages can avoid quality issues later, or downstream.
Upstream quality is also frequently used to focus on process inputs, or supply chain management. UQA starts with the quality management unit and leadership team. Proper documentation and a strong quality management system can ensure you’ve formed a solid baseline.
Prepare for the Conversation
While it’s always important to be professional and careful when you’re dealing with any type of inspector, ISO inspections for certification have a much different tone than interactions with the FDA.
An ISO inspector isn’t going to fail or cite your company on-the-spot. These interactions are generally much more conversational and lower-pressure than an on-site audit from an FDA inspector. Employees should be prepared for a productive conversation and avoid giving out info they’re unsure of, but it’s much harder to get into trouble by saying the wrong thing.
How a Great eQMS Can Help You Pass an ISO 13485 Audit Easily
No one wants to feel clueless when they’re facing down an ISO audit. The worst feeling in the world is being unsure of how your QMS stacks up against standards. It’s even worse when you find yourself scrambling to locate documents or records requested by the auditor, or you learn that you’re missing entire quality processes.
Medical device startups and scale-ups don’t have to build an ISO 1345-compliant QMS from the ground up. You can streamline ISO certification with an enterprise quality management system (eQMS) built specifically in accordance with ISO 13485:2016, FDA QSR, and other relevant standards.
Qualio is a cloud-based QMS which can simplify internal audits and improve visibility, helping you maintain compliance year-round and pass audits with ease. The best way to determine if Qualio is the right fit for your organization is with a personalized demo.