This article, Medical Device Academy-5 Proven Audit Approaches, reviews how our clients benefit from our tried and true audit principles.
1. Process Approach
I am an advocate for using turtle diagrams (i.e., the process approach) for auditing, instead of audit checklists. Beyond the obvious visual differences between using audit checklists and using turtle diagrams, these two tools result in very different types of observations. An auditor using a checklist typically starts with a regulatory requirement, and then the auditor samples record to verify if the records meet the requirement. Once this verification has been successful once, it is unlikely that the process will have a problem in the future.
Turtle diagrams and the process approach focus on inputs and outputs to a process–instead of specific regulatory requirements. For example, when an auditor uses the element approach to auditing, the auditor will sample one or more process validations from a master validation plan to ensure compliance with 21 CFR 820.75. However, step four of the process approach includes sampling process validation for each process being auditing. If there is a lack of process validation for any process, the auditor will identify the gap. Step four also involves verifying the calibration of devices used in the process and maintenance of any equipment. Therefore, the process approach is sampling requirements for process validation, calibration of measurement devices, and preventive maintenance for each process–instead of once for each regulatory element.
2. Where Audits are Conducted
Most auditors spend an extraordinary amount of time in conference rooms. If I can audit your records in a conference room, I can also audit your records from my office in Vermont. Remote auditing eliminates the cost of travel. More than half of your quality system records can be effectively audited remotely. Therefore, when any auditor on our team visits your facility, they want to spend more time seeing you demonstrate production processes and interviewing people–instead of reviewing records in your conference room. This also happens to be the only effective method to audit production and process controls, which is one of the four major quality system processes the FDA focuses on during Level 2, comprehensive QSIT inspections.
3. Read Less and Listen More
Most auditors like to start with a procedure and then look for compliance with the procedure. We begin with an interview of the process owner or a person performing a step in the process. Then we ask for a demonstration, and records and procedures last. I coach new auditors to ask people they are interviewing to show them where a requirement can be found in their procedure. This has several hidden benefits. First, auditors don’t have to spend a lot of time hunting for a requirement because the auditee will find it for the auditor. Second, the auditor will quickly learn how familiar the auditee is with the specific procedure. Finally, if the company is not following a procedure, the auditee is unlikely to be able to locate the requirement in its procedure.
4. Start at the End with Problems
Most people prefer to follow a process from beginning to end. More specifically, the opening is step one of a procedure, and the end is a product and paperwork resulting from the process. Since most product and paperwork is done correctly, we seldom find anything wrong with a process if we start at the beginning. Alternatively, we can start at the end of a process with a cage of nonconforming material, or a log sheet of complaints. Then we can work our way back to the beginning of the process, and hopefully, we will see what went wrong in the process during our investigation. Therefore, my internal audit agenda often begins with a tour of the facility that will arrive at the location where a quarantined product is stored. Then I work my way back through the process to incoming inspection, then the purchasing process, and finally to the design controls process where specifications were initially created. Using this approach often results in the discovery of problematic processes that have the potential to cause other problems beyond the one example we found in the quarantine area.
5. Focus on Effectiveness Checks
The last sub-clause of ISO 13485:2016, Clause 8.5.2, is specific to the requirement for verifying the effectiveness of corrective actions. This is not the same as verifying implementation. If an internal audit identifies that there are no maintenance records, then you might attempt to prevent recurrence by creating a procedure that requires maintenance records. A copy of the procedure, records of procedure review, and approval and training records are evidence of implementing the corrective action.
Effectiveness verification requires more (http://bit.ly/CAPA-effectiveness-checks). You need to go back and verify that maintenance records are being created and maintained. Therefore, whenever we write an audit finding, we also review potential corrective actions with the client and suggest possible effectiveness checks to ensure corrective actions work.
If your company needs help with internal auditing and would like a quote, please email Matthew Walker. We also are teaching a lead auditor course in partnership with AAMI starting fall 2020.