This article, Medical Device Academy-5 Proven Audit Approaches, reviews how our clients benefit from our tried and true audit principles.
1. Process Approach
I am an advocate for using turtle diagrams (i.e., the process approach) for auditing instead of audit checklists. Beyond the noticeable visual differences between audit checklists and turtle diagrams, these two tools result in very different types of observations. An auditor using a checklist typically starts with a regulatory requirement, and then the auditor samples records to verify if the records meet the requirement. Once this verification has been successful, it is unlikely that the process will have a problem in the future.
Turtle diagrams and the process approach focus on the inputs and outputs of a process–instead of specific regulatory requirements. For example, when an auditor uses the element approach to auditing, the auditor will sample one or more process validations from a master validation plan to ensure compliance with 21 CFR 820.75. However, step four of the process approach includes sampling process validation for each audited process. If there is a lack of process validation for any process, the auditor will identify the gap. Step four also involves verifying the calibration of devices used in the process and maintenance of any equipment. Therefore, the process approach is sampling requirements for process validation, calibration of measurement devices, and preventive maintenance for each process–instead of once for each regulatory element.
2. Where Audits are Conducted
Most auditors spend an extraordinary amount of time in conference rooms. If I can audit your records in a conference room, I can also audit your records from my office in Vermont. Remote auditing eliminates the cost of travel. More than half of your quality system records can be effectively audited remotely. Therefore, when any auditor on our team visits your facility, they want to spend more time seeing you demonstrate production processes and interview people instead of reviewing records in your conference room. This is the only effective method to audit production and process controls, one of the four primary quality system processes the FDA focuses on during Level 2, comprehensive QSIT inspections.
3. Read Less and Listen More
Most auditors like to start with a procedure and then look for compliance with the procedure. We begin with an interview with the process owner or someone performing a step in the process. Then we ask for a demonstration, and records and procedures last. I coach new auditors to ask people they are interviewing to show them where a requirement can be found in their procedure. This has several hidden benefits. First, auditors don’t have to spend much time hunting for a requirement because the auditee will find it for the auditor. Second, the auditor will quickly learn how familiar the auditee is with the specific procedure. Finally, if the company is not following a procedure, the auditee is unlikely to be able to locate the requirement in its procedure.
4. Start at the End with Problems
Most people prefer to follow a process from beginning to end. More specifically, the opening is step one of a procedure, and the end is a product and paperwork resulting from the process. Since most products and paperwork are done correctly, we seldom find anything wrong with a process if we start at the beginning. Alternatively, we can begin at the end of a process with a cage of nonconforming material or a log sheet of complaints. Then we can work our way back to the beginning of the process, and hopefully, we will see what went wrong in the process during our investigation. Therefore, my internal audit agenda often begins with a tour of the facility that will arrive at the location where a quarantined product is stored. Then, I worked my way back through the process to incoming inspection, the purchasing process, and finally, the design controls process, where specifications were initially created. Using this approach often results in discovering problematic processes that can potentially cause other problems beyond the one example we found in the quarantine area.
5. Focus on Effectiveness Checks
The last sub-clause of ISO 13485:2016, Clause 8.5.2, is specific to the requirement for verifying the effectiveness of corrective actions. This is not the same as verifying implementation. If an internal audit identifies no maintenance records, you might attempt to prevent recurrence by creating a procedure that requires maintenance records. A copy of the procedure, records of procedure review, and approval and training records are evidence of implementing the corrective action.
Effectiveness verification requires more (https://medicaldeviceacademy.com/capa-effectiveness-check/). You need to go back and verify that maintenance records are being created and maintained. Therefore, whenever we write an audit finding, we also review potential corrective actions with the client and suggest possible effectiveness checks to ensure corrective actions work.
If your company needs help with internal auditing and would like a quote, please email Matthew Walker. We are also teaching a lead auditor course in partnership with AAMI, which will start in the fall of 2020.