Internal Quality Audit

A medical device company should have a robust internal quality audit program which consists of procedure, internal audit team, plan, quality audit checklist to audit the quality system regularly.

For quality audit plan:  Quality Assurance (QA) should be responsible for the planning and scheduling of internal audits of the quality system, manufacturing processes and products. QA should establish audit frequency. The audit frequency is often based on the importance of manufacturing processes, products and areas. Should there be customer complaints, internal and external nonconformities regarding a product and process, internal audit for that area of interest should be carried out as well.

Internal audit should be performed at the very least once a year or semiannually or quarterly. I had observed some medical device company performed internal audit monthly, but only on a specific section of the quality system. For example, January on Design Verification and February on CAPA.

The internal quality audit plan should be mapped out clearly in a matrix with all the quality system elements like that of 21 CFR 820 and ISO 13485. In this plan, there should be responsible group who will be performing the internal audit on the desired date of the audit.

The audit team should consist of qualified, experienced and independent quality auditors who are very well versed in the quality system about to be audited. Audit team should not succumb to internal pressure so they may water down the internal audit report. I had basically seen this occurrence where the marketing group had complaint to the top management that the severity of the internal audit causes slowness in releasing product and therefore the internal audit did not perform the job they should be doing. The internal audit team should perform the job without fear or favor.

During the audit, auditors seek objective evidence demonstrating whether the audited activities conform to the requirements of the documented quality system, and whether the system is effectively implemented and maintained. When nonconformity is noted, it is brought to the attention of, and discussed with, the responsible individual of the department in question.

Before the end of the audit, each noted nonconformity is documented using the Audit Nonconformity Report form. Auditors fill out only the first part of the form, describing the noted nonconformity. The form is then handed over to the responsible individual who uses its second part to propose a corrective action.

Documentation and record: Internal audits, implementation of resulting corrective actions, and follow-up audits are documented using the audit nonconformity report form.

At the end of an auditing cycle, all nonconformity reports established during the cycle are compiled and analyzed, and are presented at the management review meeting.

Reference	Criteria
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the planned arrangements?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the requirements of ISO 9001:2000?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the quality management system requirements established by the company?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system is effectively implemented and maintained?
ISO 13485 8.2.2	Are the company’s audit programs planned? Do the audit programs take into consideration the status and importance of the processes and areas to be audited? Do the audit programs take into consideration the results of previous audits?
ISO 13485 8.2.2	Are the audit criteria, scope, frequency, and methods defined? Does selection of auditors and conduct of audits ensure the objectivity and impartiality of the audit process?
ISO 13485 8.2.2	Does the audit process ensure that auditors do not audit their own work? Are the responsibilities and requirements for planning and conducting audits, and for reporting audits and maintaining records, defined in a documented procedure?
ISO 13485 8.2.2	Does management responsible for the area being audited ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes? Do follow-up activities include the verification of the actions taken and the reporting of verification results?

Disclaimer: Although the author had exhaustively researched all sources to ensure the accuracy and completeness of the information contained in this blog, but no warranty and fitness is implied. I assumed no responsibility and implied warranty of any kind for errors, inaccuracies, omission, or any inconsistency herein. No liability is assumed for incidental or consequential damages in connection with the use of the information contained herein. Readers should always use their own judgment and review all related regulatory guidelines. Guidelines can change over time.