External Quality Audits

As described in previous post entitled “the internal quality audit” and conversely, there should also be an external quality audits program in the medical device company. The internal quality plan is to audit the state of things with the internal quality system while the external audit is to audit the state of things with external business entities associated with the device manufacturer. Examples are contract research organization (CRO), contract manufacturing organization (CMO) and all sort of suppliers of components and parts.

Depending on the complexity of the medical device, sometimes, the sponsors has literally a few to a few hundred suppliers. These suppliers need to be constantly audited to ensure their quality system is in compliance to 21 CFR 820, ISO 13485, ISO 14971 etc.

Therefore, sponsor should have a procedure that can provide a system and instructions and to assign responsibility for conducting external audits of the quality management system of suppliers and CMO.

Aside from the procedure, sponsor should also has external audit plan, audit nonconformity report template, quality audit checklist and a great external quality audit team.

For audit plan: QA is responsible for planning and scheduling external audits of the quality system of CMO manufacturing processes and raw materials suppliers. Because of the enormity of the external audit program, therefore, it is prudent to choose the audit frequency based on status and importance of the processes, products and areas to be audited and as well as results from previous audits, previous nonconformities, CAPA and customer complaints. Typically, each supplier should be audited once in two years.

In the external audit plan, the dates, assignment of audit teams, areas to be audited should be set clearly and to be followed. External audit plans should be synchronized with management reviews of the sponsor’s quality system.

For external audit team: External quality team member should be qualified, experienced, have the necessary education, independent and able to write well and fast. External auditors must have expert level in ISO 13485, 21 CFR 820 and EU MDD, for example.

During the external auditing, external auditors seek objective evidence to demonstrate whether the audited activities conform to the requirements of the documented quality system, and whether the system is effectively implemented and maintained. When nonconformity is noted, it is brought to the attention of, and discussed with, the responsible individual of the department.

At the end of the audit, each noted nonconformity is documented using the audit Nonconformity Report. External audit team should fill out only the first part of the form, describing the nonconformity and handed over to the responsible individual who uses the second part to propose correction, corrective action or perhaps a remediation plan.

Upon receiving the report, the responsible individual investigates the cause/s of the problem noted as a nonconformity, proposes a correction or corrective action to be taken, and indicates the date by which the corrective action will be fully implemented. The external auditor reviews and approves the proposed action.

Documentation and Record: this is a critical part. External audits, implementation of resulting corrective actions, and follow-up audits are documented. At the end of an auditing cycle, all nonconformity reports established during the cycle are compiled and analyzed, and are presented at the management review meeting

Reference	Criteria
ISO 13485 /8.2.2	Are the company’s audit programs planned?
ISO 13485 /8.2.2	Do the audit programs take into consideration the status and importance of the processes and areas to be audited?
ISO 13485 /8.2.2	Do the audit programs take into consideration the results of previous audits?
ISO 13485 /8.2.2	Are the audit criteria, scope, frequency, and methods defined?
ISO 13485 /8.2.2	Does selection of auditors and conduct of audits ensure the objectivity and impartiality of the audit process?
ISO 13485 /8.2.2	Does the audit process ensure that auditors do not audit their own work?
ISO 13485 /8.2.2	Are the responsibilities and requirements for planning and conducting audits, and for reporting audits and maintaining records, defined in a documented procedure?
ISO 13485 /8.2.2	Does management responsible for the area being audited ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes?
ISO 13485 /8.2.2	Do follow-up activities include the verification of the actions taken and the reporting of verification results?

Disclaimer: Although the author had exhaustively researched all sources to ensure the accuracy and completeness of the information contained in this blog, but no warranty and fitness is implied. I assumed no responsibility and implied warranty of any kind for errors, inaccuracies, omission, or any inconsistency herein. No liability is assumed for incidental or consequential damages in connection with the use of the information contained herein. Readers should always use their own judgment and review all related regulatory guidelines. Guidelines can change over time.