Filter posts by category

ISO Auditing

Internal Auditing, Supplier Auditing, Lead Auditor, Internal Auditor, ISO 19011, and ISO 17021.

5 Proven Audit Approaches

Leave a Comment / ISO Auditing / By / , , , ,

This article, Medical Device Academy-5 Proven Audit Approaches, reviews how our clients benefit from our tried and true audit principles.  

5 benefits internal audits 5 Proven Audit Approaches

1. Process Approach 

I am an advocate for using turtle diagrams (i.e., the process approach) for auditing instead of audit checklists. Beyond the noticeable visual differences between audit checklists and turtle diagrams, these two tools result in very different types of observations. An auditor using a checklist typically starts with a regulatory requirement, and then the auditor samples records to verify if the records meet the requirement. Once this verification has been successful, it is unlikely that the process will have a problem in the future.

Turtle diagrams and the process approach focus on the inputs and outputs of a process–instead of specific regulatory requirements. For example, when an auditor uses the element approach to auditing, the auditor will sample one or more process validations from a master validation plan to ensure compliance with 21 CFR 820.75. However, step four of the process approach includes sampling process validation for each audited process. If there is a lack of process validation for any process, the auditor will identify the gap. Step four also involves verifying the calibration of devices used in the process and maintenance of any equipment. Therefore, the process approach is sampling requirements for process validation, calibration of measurement devices, and preventive maintenance for each process–instead of once for each regulatory element. 

2. Where Audits are Conducted

Most auditors spend an extraordinary amount of time in conference rooms. If I can audit your records in a conference room, I can also audit your records from my office in Vermont. Remote auditing eliminates the cost of travel. More than half of your quality system records can be effectively audited remotely. Therefore, when any auditor on our team visits your facility, they want to spend more time seeing you demonstrate production processes and interview people instead of reviewing records in your conference room. This is the only effective method to audit production and process controls, one of the four primary quality system processes the FDA focuses on during Level 2, comprehensive QSIT inspections. 

3. Read Less and Listen More

Most auditors like to start with a procedure and then look for compliance with the procedure. We begin with an interview with the process owner or someone performing a step in the process. Then we ask for a demonstration, and records and procedures last. I coach new auditors to ask people they are interviewing to show them where a requirement can be found in their procedure. This has several hidden benefits. First, auditors don’t have to spend much time hunting for a requirement because the auditee will find it for the auditor. Second, the auditor will quickly learn how familiar the auditee is with the specific procedure. Finally, if the company is not following a procedure, the auditee is unlikely to be able to locate the requirement in its procedure. 

4. Start at the End with Problems

Most people prefer to follow a process from beginning to end. More specifically, the opening is step one of a procedure, and the end is a product and paperwork resulting from the process. Since most products and paperwork are done correctly, we seldom find anything wrong with a process if we start at the beginning. Alternatively, we can begin at the end of a process with a cage of nonconforming material or a log sheet of complaints. Then we can work our way back to the beginning of the process, and hopefully, we will see what went wrong in the process during our investigation. Therefore, my internal audit agenda often begins with a tour of the facility that will arrive at the location where a quarantined product is stored. Then, I worked my way back through the process to incoming inspection, the purchasing process, and finally, the design controls process, where specifications were initially created. Using this approach often results in discovering problematic processes that can potentially cause other problems beyond the one example we found in the quarantine area. 

5. Focus on Effectiveness Checks

The last sub-clause of ISO 13485:2016, Clause 8.5.2, is specific to the requirement for verifying the effectiveness of corrective actions. This is not the same as verifying implementation. If an internal audit identifies no maintenance records, you might attempt to prevent recurrence by creating a procedure that requires maintenance records. A copy of the procedure, records of procedure review, and approval and training records are evidence of implementing the corrective action.

Effectiveness verification requires more (https://medicaldeviceacademy.com/capa-effectiveness-check/). You need to go back and verify that maintenance records are being created and maintained. Therefore, whenever we write an audit finding, we also review potential corrective actions with the client and suggest possible effectiveness checks to ensure corrective actions work.

If your company needs help with internal auditing and would like a quote, please email Matthew Walker. We are also teaching a lead auditor course in partnership with AAMI, which will start in the fall of 2020.

5 Proven Audit Approaches Read More »

How to Audit Your Labeling Process for 21 CFR 820 Compliance

Leave a Comment / ISO Auditing / By / , , , , ,

This article reviews how to audit your labeling process for 21 CFR 820 compliance with the six requirements of section 820.120.

audit labeling How to Audit Your Labeling Process for 21 CFR 820 ComplianceThe most common cause of recalls is labeling errors. Therefore, one of the best ways to avoid a recall is to perform a thorough audit of your labeling process. Unfortunately, most auditors receive no specific training related to labeling. The primary reason for the lack of labeling-specific training is because most auditor training focuses on ISO certification requirements.

ISO 13485 Requirements for the Labeling Process

ISO 13485 only requires the following labeling requirements: “The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable…g) the implementation of defined operations for labeling and packaging.” ISO 14969 is the guidance document for ISO 13485, and the guidance includes additional recommendations for control of the labeling process to prevent errors. Unfortunately, auditors are trained to audit for compliance with regulations, while guidance documents are neglected almost entirely. ISO labeling requirements are vague. Therefore, auditors need to focus on the six requirements of 21 CFR 820.120–the section of the FDA QSR specific to labeling. Labeling process flowchart1 How to Audit Your Labeling Process for 21 CFR 820 Compliance Most auditors are taught to develop a regulatory checklist to verify requirements. However, the process approach to auditing is a more effective approach to identify ways that the labeling process can break down. Below examples of how the two approaches differ are provided for each of the six requirements:

1. Labeling Procedure

Most auditors, and FDA inspectors, request a copy of a labeling procedure to verify compliance with the first requirement. In their notes, they record the document number and revision of the procedure. The auditor may also review the procedure to ensure that the procedure includes each of the other five regulatory requirements listed below. The process approach to auditing also verifies compliance with the requirement for a procedure. Still, auditors using the process approach ask the process owner to describe the process, and the process description provided is compared with the procedure.

I also teach auditors to ask the process owner to identify where in the procedure, each requirement can be found. This eliminates the need to spend valuable audit time reviewing a procedure and forces the process owner to demonstrate their familiarity with the procedure.

2. Label Integrity

A lack of labeling integrity is seldom raised as an observation by auditors, unless labels are falling off of the product, or if the label content is illegible. During hundreds of audits, I have never noticed a label falling off the product, but I have seen customer complaints about labels falling off. Another way to assess if there is a problem with labeling integrity is to ask how the labeling specifications were established, verified, and validated. The user environment is frequently the determining factor for labeling specifications. For example,

  • Does the label need to be waterproof?
  • Is the print likely to be exposed to abrasion that could rub off the ink?
  • Are the storage conditions likely to include high heat and humidity that could cause the adhesive to fail? 

This type of approach links the labeling of products to customer focus and design inputs.

3. Labeling Process Inspection

The inspection of labeling is more than a visual examination. A thorough inspection requires a systematic review of the label content to ensure that the label information matches the requirements for the specific production lot. The requirements specify verification of:

  • correct expiration date
  • control number
  • storage instructions
  • handling instructions

There is also a requirement to document the date of inspection and the person that performed the inspection. An auditor can verify that the labeling inspection is being performed by reviewing records of the inspection, but you will rarely find an inspection record where the label is nonconforming. If you follow the process, you might ask the process owner where nonconforming labeling is recorded. The nonconforming material records should be an output of every inspection process. Auditors should also ask for metrics regarding a process. The frequency of labeling mix-ups and labeling errors identified during an inspection is an important metric that can be used as an indicator of weaknesses in labeling operations.

4. Labeling Storage

Most auditors will verify that labels are stored in a location to prevent deterioration or damage, but the highest risk is the mix-up of labels. Therefore, it is crucial to control the location of labels so that the incorrect labels cannot be accidentally distributed to the wrong manufacturing line. 

In 21 CFR 820.150, there is also a requirement to establish “procedures that describe the methods for authorizing receipt from and dispatch to storage areas and stock rooms.” Therefore, as an auditor, you might consider asking the process owner what the input to the labeling distribution process is (e.g., a work order) and which distribution records are created during the process. A labeling requisition and/or “pick list” from production planning is often used as an input to the labeling process, while the distribution of labeling to manufacturing usually requires a log entry for distribution from a stockroom, or assignment of a lot number to the batch of labels that must be entered in a log.

5. Labeling Process

It is insufficient to review DHRs for the labeling process. When you interview the process owner, you should determine who is responsible for creating and inspecting labels. Then, I coach auditors to go and view labeling operations at the source. By interviewing operators and asking them to demonstrate entry of variable data for labels and printing of labels, you can answer each of the following questions without even asking:

  • Is validated software is being used?
  • Are label templates protected from inadvertent changes?
  • How do operators ensure that labels from different lots are not mixed up?

Interviewing inspectors can determine if calibrated tools are being used to verify labeling dimensions and the proper placement of labels. You should also observe how inspectors ensure that variable data is correct.

6. Control Number

Most auditors will sample DHR records to verify that lot control numbers are recorded for each batch of products. However, when an auditor is focusing on records, the auditor is unlikely to identify any aspects of label handling that could result in mix-ups. To ensure that processing and segregation of different lots are adequate, an auditor has to observe line clearance procedures and to verify that each lot of labels is identified with regard to the lot number, quantity, and the released status if the identification information about the label is separated from the physical labels, the potential for labeling mix-ups increases.

One final aspect of labeling and control numbers to consider is the impact of new UDI regulations. Labeling will need to indicate the date of manufacture and expiration of the product. This information needs to be incorporated into the variable content of labels. Therefore, if labels are pre-printed, it may be necessary to reprint labels when the date of manufacture changes. This additional requirement is likely to force companies into on-demand printing of labels and automated software control systems. Auditors can verify the successful implementation of labeling process changes by auditing for compliance with the revised procedures.

UDI states that production identifiers (PI) consist of Manufacturing Date, Expiration Date, Lot/Batch Number, Serial Number. The rule also states that if a labeler does not use any of the listed PI, they do not need to have it on their labels. This will most likely apply to Class I device labelers only as Class II, and III labelers usually have one or more of the PI on their labels. Due to the variable nature of the PI, many labelers are adding in-line label verifiers to make sure their labels are readable by scanners.

How to Audit Your Labeling Process for 21 CFR 820 Compliance Read More »

4 Ways to Make the Best Use of Medical Device Remote Audits

2 Comments / ISO Auditing / By / , , , , , , , ,

This blog identifies how to use medical device remote audits effectively, save time and resources, and when you should not conduct audits remotely.remote audits blog 4 Ways to Make the Best Use of Medical Device Remote AuditsMost audits ISO 13485 are performed onsite at the location where the processes are being performed, and are the most effective approach to internal and supplier audits. But conducting an audit from your desk makes more efficient use of your time as an auditor. A large percentage of audits are conducted from conference rooms where the auditor spends an excessive amount of time reviewing documents and records, or waiting for documents and records to be delivered. 

In 2006, the first edition of the ISO 17021 standard for certification of quality systems by certification bodies was released. ISO 17021 requires that initial certification audits be conducted in two stages. Stage 1 has several requirements, but the first element of Stage 1 is reviewing quality system documentation. In most cases, Stage 1 and Stage 2 audits are conducted onsite. Still, if the auditee is located in a remote location (such as New Zealand), Stage 1 audits will sometimes be conducted via conference call. 

Prior to ISO 17021, a review of quality system documentation was the only task performed before the initial certification audit, and the documentation review was typically conducted remotely as a “desktop” audit. Desktop audits have been used for decades as a way of auditing quality system documentation without traveling. However, desktop audits can be much more than a review of quality system documentation. You can interview auditees on the phone, review records, even ask auditees to demonstrate activities in real-time using a web camera.

Documentation can also consist of much more than text. Raw data, statistical analysis, and photos can be used to communicate additional information. The more multimedia content provided to auditors remotely, the closer a remote audit becomes to auditing on site. The same requirements as certification bodies do not bound internal auditors and supplier auditors, and audits may be conducted onsite or remotely. The most recent version of ISO 19011 (2011), includes a comparison table for onsite and remote auditing in Annex B.

Medical Device Remote Supplier Audits

The use of remote audits to qualify suppliers is not recommended for four reasons:

  1. onsite visits facilitate the building of supplier-customer relationships
  2. touring facilities and watching a demonstration of processes improves understanding of a supplier’s processes better than reading documents and records can
  3. Cleanliness and capabilities of suppliers are best evaluated onsite, where camera angles can be used to crop out important details
  4. sometimes suppliers misrepresent their capabilities by showing photographs on their website of other companies.

After you have qualified a supplier, however, you may not need to audit them onsite regularly. If a supplier’s performance is good and risks associated with nonconforming components supplied are minimal, then you have a justification for conducting a remote audit. However, if a supplier’s performance is poor, you may want to use a remote supplier audit as a precursor to an onsite supplier audit to investigate the reasons for nonconforming components (i.e., a “for cause” audit). Regardless of the situation, the amount of time spent in your supplier’s conference room should always be by reviewing documents and records remotely. This will reduce the amount of time required at each supplier, and enables you to audit two suppliers during the same trip.

Medical Device Remote Internal Audits

It might not occur to you that there would be any need for remote internal audits. However, not all internal audits are performed by a person working at your location. Larger companies have multiple sites, and many of the internal audits are performed by auditors from corporate headquarters and other locations. In the case of internal audits performed by auditors from other locations, travel time can be minimized by performing part or all of the internal audits remotely. This approach can also work for consultants hired to conduct internal audits. There is no need to spend money on the cost of travel for a consultant if the consultant is only going to be auditing documents and records. The following are great examples of processes that can be audited remotely:

  1. CAPA
  2. Management Review
  3. Internal Auditing
  4. Supplier Controls
  5. Complaint Handling
  6. Adverse Event Reporting

Medical Device Remote Re-audits

21 CFR 820.22 indicates that re-audits may be required where corrective actions have been taken to verify the effectiveness of the actions taken: “Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary.” However, if nonconformities identified during an audit are categorized as “high-risk,” it may be essential to conduct a verification of corrective action effectiveness as soon as possible.

Sometimes, effectiveness can be determined by reviewing quantitative metrics. Still, if a re-audit is needed, then a remote re-audit may allow the auditor to verify the effectiveness of corrective actions without the necessity of being onsite. If verification of corrective action effectiveness can be performed by reviewing documents and records, a remote re-audit is appropriate. Other corrective actions, especially those involving production and process controls, typically require onsite verification.

Remote Audit Team Members

Most medical device companies have a limited number of qualified auditors, and auditing is almost always a secondary job duty. However, audits often require specific technical knowledge that only one or two auditors may possess. Therefore, it may be extremely difficult to schedule a team audit when all the required auditors and auditees are available. There is another option to postponing your audit. You might consider having some of your auditing team members audit remotely from their desks, while the rest of the team conducts an onsite audit. For example, most lead auditors can conduct a process audit of incoming inspection, storage, and shipping. However, auditing surface mount assembly lines for the fabrication of printed circuit boards requires more technical knowledge of this type of process. Technical expertise is also needed to audit sterilization or CNC machining.

By working together, onsite audit team members can take directions from a technical subject matter expert working remotely and gather information needed to audit any process properly. This approach minimizes time requirements for subject matter experts, and remote audits by team members reduce the cost of travel.

If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing. If you are interested in learning more about how you can use remote audits to save time and money, please contact us. We can help you identify immediate opportunities.

4 Ways to Make the Best Use of Medical Device Remote Audits Read More »

5 Criteria for a Certified Internal Auditor Program

1 Comment / ISO Auditing / By / , , , , ,

5 criteria 5 Criteria for a Certified Internal Auditor ProgramFive criteria for a certified internal auditor program of medical device lead auditors for ISO 13485 quality systems auditing and supplier auditing.  Five criteria are essential to a certified internal auditor program:

  1. formal training by a qualified trainer
  2. an exam to demonstrate the effectiveness of training
  3. practical experience
  4. observation of actual audits by an experienced lead auditor
  5. documentation

Internal auditors do not need a certificate from a third party (i.e., someone other than your company or customers), and training programs do not need to be accredited. Your company can save money and develop an in-house certification program. The only reason why third-party certification and accreditation are needed is 1) if your internal auditor procedure requires it or 2) if you are training to become a third-party auditor working for a certification body or registrar. Therefore, I don’t recommend writing a procedure that requires a certificate from a third party or an accredited program. Write your internal auditor training requirements to allow flexibility, but ensure you include each of the five elements listed above.

1. Formal training by a qualified trainer

Formal training is planned and has a documented curriculum. The curriculum can consist of one long course over several days, or you can limit the duration of each class to an hour over several months, and you can develop a schedule to fit individual needs. Training should be customized to a certain extent for each internal auditor, but most programs have at least one primary lead auditor course that everyone must complete. A qualified trainer must also deliver formal training.

2. An exam to demonstrate the effectiveness of training

I have written about the use of exams to document training effectiveness. You can use a combination of multiple-choice questions, fill-in-the-blank, short answer, and essay questions for an exam. However, to demonstrate the effectiveness of auditor training, one evaluation method is superior to all others: writing nonconformities. If you provide a hypothetical scenario to an auditor, the auditor should be able to write a complete nonconformity. This exercise tests the auditor’s ability to identify the applicable regulatory requirements, assess conformity, grade nonconformities, and select the appropriate wording of the nonconformity and associated objective evidence. The only downsides to writing nonconformities are: 1) they are more challenging for instructors to grade, and 2) the grading is subjective.

3. Practical experience

The most common way to document the previous experience of internal auditors is to include a copy of the person’s resume in their training record. However, I recommend using a tracking log for all audits to identify which auditors conducted which audit. Ideally, you want to use an electronic database that allows you to search the database using the auditor’s name as a search field. Your database should also indicate which role the auditor was fulfilling: 1) lead auditor, 2) team member, 3) trainee, or 4) observer. Sometimes, the person may have multiple roles (e.g., team member and trainee or lead auditor and observer).

4. Observation of actual audits by an experienced lead auditor

It doesn’t matter if training is remote and recorded or live and in-person, but remote and recorded training needs to be balanced with an observation of actual audits by an experienced medical device quality system auditor. “Observation” needs to be defined, but I recommend using a controlled form to document observations. Attached to this form is a completed observation form, a copy of the audit notes, and a copy of the audit report, which creates a complete record to demonstrate the trainee’s observation of each audit. Just don’t make your controlled form overly burdensome. A single page is fine–as long as it consists of more than yes/no checkboxes.Experienced” also needs to be defined, but I recommend the following combination of qualitative and quantitative experience. First, an experienced lead auditor must have documented formal training, but formal training does not need to be third-party training. Second, an experienced lead auditor should have completed at least 100 audits. One hundred is an arbitrary number, but that number represents more than 1,000 hours of audit preparation, auditing, and report writing. Anything less than 1,000 hours is inadequate to be qualified to begin training others.

5. Documentation

Documentation must include all of the above elements. You need to document the training plan for each internal auditor, and it must meet minimum training requirements–which should be documented in your internal auditing procedure. Your documentation should include the minimum criteria for qualification of a trainer–often a resume, and adding the person to your approved supplier list is sufficient. You should document the results of any formal quizzes and exams for training effectiveness. Auditing experience for each person should be documented. Specifically, you should have a form listing a description of the scope and dates for each audit during the certification process. Auditors’ Observations need to be documented, and any corrections or recommendations for improvement should include documented follow-up. If an auditor already has extensive experience before joining your company, your procedures should allow for a written justification instead of repeating the training. If your company uses a software tool to manage training, I recommend creating a separate training group for internal auditors rather than incorporating internal auditing into another job description and/or training curriculum.

What Really Matters

Whether your internal auditor training is effective and internal auditors are competent matters. Certificates make pretty training records to post on the wall of your cubicle. Competent internal auditors identify quality issues before you receive an FDA 483 or a nonconformity from your certification body. Competent auditors also add value by identifying ways to make processes more efficient and opportunities to save money. If you are looking for a qualified trainer to provide formal training in a public venue or in-house, please visit the following webpage: http://bit.ly/Lead-Auditor-Course.

5 Criteria for a Certified Internal Auditor Program Read More »

The Audit Program Manager: 4 Areas of Auditor Competency

2 Comments / ISO Auditing / By / , ,

rookie The Audit Program Manager: 4 Areas of Auditor Competency

Passing a webinar on auditing does not make you competent.

This blog reviews an audit program manager’s four areas of auditor competency: experience, skills, training, and education.

Does your company ask incoming inspectors to update CAD drawings when a design changes occur? Of course not. Your company has engineers trained to use SolidWorks, and it takes a new engineer a while to become proficient with the software. Auditing is a skill that you learn—just like SolidWorks.

I’ve never met a manager who wondered where the value was in having an engineer update a drawing, but many managers view internal and supplier audits as a necessary evil. Instead of asking the expert how few audit days you can get away with, ask the expert: “What is the purpose of auditing?”

Internal auditing aims to confirm that the management system is effective and identify opportunities for improvement. Supplier auditing seeks to verify that a supplier can meet your needs and identify opportunities for improvement; therefore, if an auditor finds no nonconformities or opportunities for improvement, what a waste of time!

To receive value from auditing, you need competent auditors. Clause 6.2.1 of the ISO 13485 Standard states, “Personnel performing work affecting product quality shall be competent based on appropriate education, training, skills, and experience.” As the audit program manager, recruit people who demonstrate auditing competency.

Education

First, educational background is essential for auditors. You cannot expect someone who has never taken a microbiology course to be an effective auditor of sterilization validation. Likewise, someone who has never taken a course in electricity and magnetism will not be effective as an auditor for active implantable devices. Therefore, determine what types of processes the auditor will be auditing. Then, ensure that the person you hire has the necessary education to understand the processes they will be auditing.

Training

Second, auditors need to be trained before they can audit. The auditor needs training in three different aspects: 1) the process they will be auditing, 2) the standard that is the basis for assessing conformity, and 3) auditing techniques. If you are auditing Printed Circuit Board (PCB) manufacturers with Surface-Mount Technology (SMT), then you need to learn about the types of components used to make PCBs and how these components are soldered to a raw board. I know first-hand that anyone can learn how SMT works, but it took me a few months of studying.

If your company only sells medical devices in the United States, you will need to learn 21 CFR 820 (i.e., – the QSR). However, suppose your company also sells devices in Europe or Canada. In that case, you will need to learn ISO 13485, the Medical Device Directive (MDD) (93/42/EEC as modified by 2007/47/EC), and the Canadian Medical Device Regulations (CMDR). I learned about ISO 13485 in a four-and-a-half day lead auditor course in Florida,  MDD in a three-day CE Marking Course in Virginia, and the CMDR in a two-day course taught by Health Canada in Ontario. A 50-minute webinar on each regulation is not sufficient for auditing.

Finally, you need training in the techniques of auditing. A two-day course is typically needed. I took a 50-minute webinar and passed a quiz before conducting my first internal audit, but I had not developed my skills. 

Skills

Third, an auditor needs communication, organizational, and analytical skills to be helpful as an auditor. Communication skills must include the ability to read and write exceptionally well, and the auditor needs to be able to verbally communicate with auditees during meetings and interviews. The most difficult challenge for auditors is covering all items on their agenda in the time available. The auditor rarely has more time than they need to audit any topic, and audit team leaders must be able to manage their own time and simultaneously manage the time of several other auditors. 

Experience

Last but not least, an essential aspect of auditor competency is experience. This is why third-party auditors are required to act as team members under the guidance of a more experienced auditor before they are allowed to perform audits on their own. This is required, regardless of how many internal or supplier audits the person may have conducted. More experienced auditors are also required to observe new auditors and recommend modifications to their techniques. Once a new auditor has completed a sufficient number of audits as a team member, the auditor can practice leading audits while being observed. After six to nine months, a new auditor is finally ready to be a lead auditor on their own. An internal auditor does not need the same degree of experience as a third-party auditor, but being shadowed two or three times is not sufficient experience for an auditor (first or second-party). For more information about this topic, please read my blog posting on auditor shadowing.

The Audit Program Manager: 4 Areas of Auditor Competency Read More »

Internal Audit Training for New Hires

1 Comment / ISO Auditing / By / ,

 

welcome aboard Internal Audit Training for New Hires

The author discusses a few proven internal audit training strategies (i.e., shadowing, auditing process owners) for new hires.

Once you have identified someone that you want to “hire” as an internal auditor, your next step should be to develop an “Onboarding plan for them with their boss. If you are hiring someone that will be a dedicated auditor, please ignore my quotation marks above. In most companies, however, the internal auditors are volunteers that report to another hiring manager. Therefore, as the audit program manager, you need to get a firm commitment from the auditor’s boss with regard to the time required to train the new auditor and to perform audits on an ongoing basis. 

Winning Over the Boss

In my previous posting, I said that “The biggest reason why you want to be an auditor is that it will make you more valuable to the company.” The auditor’s boss may or may not agree with this statement, but the boss knows that the salary is coming out of their budget either way. Therefore, talk with the auditor’s boss and determine what the auditor’s strengths and weaknesses are. Find out which skills the boss would like to see the auditor develop. By doing this, the two of you can develop a plan for making the auditor more valuable to their boss AND the company. 

Making Re-Introductions

Ideally, auditors are extraverted and have worked at the company long enough to know the processes and process owners that they will be assigned to audit—especially if they will be auditing upstream and downstream from their process area. In the past, the auditor may have been a customer or a supplier, but now the relationship with a process owner will change. Auditors are required to interview process owners, and this involves asking tough questions that might not be appropriate in the auditor’s regular job duties. Therefore, as the audit program manager, you should re-introduce the auditor to the process owner in their new capacity as an auditor. During this re-introduction, it is important to make three points:

  1. The auditor is going to be trained first (on auditing and ISO 13485)
  2. You will be shadowing the auditor during the audit, and
  3. The auditor’s job is to help the process owner identify opportunities for improvement

By making the first point, you are reminding the process owner of the scheduled audit—well in advance. You are also informing the process owner that this auditor will have new skills, and the process owner should have some tolerance for mistakes that new employees make. You might also mention that you would like to get the process owner’s feedback after the audit, so the auditor knows which areas they need to improve upon to become better auditors. The second point should put the process owner at ease—assuming the process owner has a good relationship with you as the audit program manager. It is important to be descriptive when “shadowing” is mentioned. Both the process owner and the auditor may not understand the process or the purpose of shadowing. The following blog posting might help with this: “How do you shadow an auditor? Did you learn anything?”

The third point is the most critical step in onboarding a new auditor. For an auditor to be successful, they must ADD VALUE! As an auditor, you cannot pretend to add value. The process owner should know their process, and they probably know which areas are weakest. The audit program manager should encourage the process owner to list some specific areas in which they are having problems. Ideally, the process owner would be informed of this need before the re-introduction. Then the process owner can be better prepared for the meeting, and hopefully, they will have a few target areas already identified. Targets with associated metrics are the best choice for a new auditor because these targets reinforce the process approach to auditing. 

Next Steps for Internal Audit Training

Once your new auditor has been re-introduced to the process owners, they will be auditing, and you need to begin the training process. As with any new employee, it is important to document training requirements and to assess the auditor’s qualifications against the requirements of an auditor. Every new auditor will need some training, but the training should be tailored specifically to the needs of the auditor. The training plan for a new auditor should include the following:

  1. A reading list of company procedures specific to auditing and external standards that are relevant
  2. Scheduled dates for the auditor to shadow another experienced auditor
  3. Scheduled dates for an experienced auditor to shadow the auditor during the first two process audits (upstream and downstream)
  4. Goals and objectives for the internal audit program; and
  5. Any training goals that the auditor’s boss has identified for the auditor

 

Internal Audit Training for New Hires Read More »

How to Finish your Audit Schedule by December 31st

1 Comment / ISO Auditing / By /

This blog provides viable options related to successfully completing your audit schedule by the end of the year.

Let’s say that there are 34 days until the end of 2012. You have four supplier audits and three internal audits to complete. Of course, all but two of these ISO 13485 audits are overdue. What should you do?

Options that might be readily available to you include:

  1. Get some help
  2. Perform remote audits
  3. Reschedule some of the audits for next year

There are some fantastic cartoons and jokes about doing more with less, but if you intend to complete seven audits before the end of the year, you might need some help. There really isn’t any time left to train someone so that they can conduct an effective audit by themselves. I expect to prepare a new auditor, which will take at least six months before I believe they can work solo. Even if you are less demanding than I am, you still would need time for classroom training and shadowing a couple of audits. Therefore, the best I believe you could hope for is one or two solo audits of the seven you need to complete.

Realistically, your only source of help would be already-trained auditors and consultants. The last month of the year is historically hectic for everyone–especially quality assurance auditors. Therefore, consultants will not be cheap, and you should commit to any qualified consultants available without too much delay (then again, maybe they are available because they are not very good). If you have any in-house auditors trained, do everything you can to get some of their time in the next few weeks.

Remote Audits

Option two is to perform remote audits. This is a viable option for you to justify for a supplier with an impressive quality track record or suppliers in other countries. However, a remote audit is not the same as asking a supplier to complete a survey. ISO 19011:2011 provides some guidance specific to remote auditing in Table B.1 of Annex B.

For a remote audit, you should still sample just as many records—if not more. You should conduct interviews by phone, Skype, or some similar technology. You should analyze any available data to help identify which processes appear to be effective and which need improvement. Suppose you are performing a remote audit for the first time. In that case, I recommend focusing on the same processes that you would not generally audit in a conference room rather than processes that you would typically audit where they occur—such as production controls. Regardless of which method you check, you should always request data.

Option three is to reschedule some audits for January 2013. I have often suggested this to clients, but very few follow this advice. If your company is late in conducting some audits, the vital thing to do is to document this, reschedule the audits, and take corrective action(s) to prevent it from recurrence. If you wait until January, you will have additional time to train an auditor, as well. Finally, consultants historically have more time available in January than in December.

In parallel with your efforts to catch up on your schedule, I also recommend the following:

Create a quality objective that measures the “on-time delivery” of audits and audit reports. This is an effective metric for managing an audit program.

Investigate the reasons for audits being overdue. If the occurrence was preventable, then I recommend initiating a CAPA. This will have two effects. First, your third-party auditors will see that you have identified the problem and taken appropriate corrective action(s). If you also discuss this during a Management Review, this information can be used effectively to change the grading of an audit finding to a “minor” or to potentially eliminate the finding altogether. Second, it will ensure that this doesn’t occur again.

How to Finish your Audit Schedule by December 31st Read More »

Scroll to Top