auditing

Audit Scheduling Options: Are you running out of time?

1 Comment / ISO Auditing / By /

An auditor quit, and you need some audit scheduling options to complete your audit schedule by the end of the year. Sound familiar?

What will happen if you don’t finish your audit schedule by December 31?

It’s October 14, and there are 78 days left in 2025. You have four supplier audits and three internal audits to complete. Unfortunately, one of the lead auditors on your team just resigned. It will probably take a couple of months to fill the position. Top management wants to know how you are going to complete the audit schedule on time. Before you panic, ask yourself one question: “What will happen if you don’t finish your audit schedule by December 31?”

You have audit scheduling options, because December 31 is an arbitrary deadline.

Consequences of audit failure?

Most companies fear receiving an FDA 483 inspection observation or a nonconformity from a third-party auditor because they did not complete their audit schedule as planned. This might happen, but what are the consequences? During opening and closing meetings, we remind clients that there is only one possible outcome of any audit:

Audit Scheduling Options include making no changes, because the outcome is always "improve and open a CAPA."

Opening a CAPA takes time and resources, but top management should never make the situation worse by reprimanding (or firing) someone because of an audit finding. If an employee is not doing their job, the quality system’s monitoring and measurement should identify the problem before the audit. Disciplinary action is not a corrective action. Top Management is responsible for providing the resources to maintain the effectiveness of the quality system. Regardless of why the audit schedule was not completed, the quality system needs to be robust enough to withstand the resignation of a single employee. Top management needs to temporarily reassign the former employee’s responsibilities to other employees and/or seek outside help. It may even be necessary to reschedule some activities, such as audits. Top management needs alternatives, including audit scheduling options, so they can create a transition plan while a replacement is recruited or promoted from within. That transition plan also needs to be documented.

Click here to subscribe to our blog feed

Using a risk-based approach to audit scheduling

Not all audits are equally important. If you have seven audits (i.e., two second-party and three first-party audits) left to complete, first evaluate the importance of each audit and assess the risks of delaying any of them. Any routine audits can be rescheduled. Just update your audit schedule to reflect new dates for the routine audits. Non-routine audits include: 1) supplier qualification, 2) investigation of supplier nonconformities, 3) CAPA effectiveness checks, and 4) investigation of internal processes with quality problems. If your incomplete scheduled audits were non-routine, they should be prioritized. Below is a list of audit scheduling options to consider:

  1. Consider other ways to qualify a new supplier than auditing (e.g., check references, review certifications, rely on a third-party audit report)
  2. Hire a consultant to conduct audits (both first and second party audits)
  3. Consider other ways to verify the effectiveness of a CAPA (e.g., quantitative acceptance criteria in a process validation report or process metrics compared before and after implementation of corrective actions)
  4. Place the product associated with suppliers or processes under quarantine until audits can be conducted.
  5. Conduct remote audits or reduce audit duration to complete them with fewer resources.

There are some fantastic cartoons and jokes about doing more with less, but if you intend to complete seven audits before the end of the year, you might need some help.

Training more auditors can increase your audit scheduling options.

Seventy-eight days might not be enough time to train a new auditor and complete all seven audits, but you can complete lead auditor training, and the newly trained auditor can help. If you are assigning a new auditor to conduct an audit, we recommend assigning them to conduct virtual audits via teleconference recordings (e.g., Zoom). These audits could be supplier audits or internal audits. This would allow an experienced lead auditor to review the recordings after the audit is completed. If the experienced auditor identifies any gaps or audit trails that should have been pursued, they can review the recordings with the auditor-in-training to identify follow-up actions if needed and to help them learn from their mistakes before their next audit. Historically, new lead auditors required a “shadow” to observe them during training. Today, we can use virtual auditing, and the observer’s feedback is actually better.

What if you need more auditors?

As we mentioned above, you can train new lead auditors. However, if you have one or more auditors who are qualified as lead auditors, you can schedule team audits instead. It takes less time to train an audit team member than it does to train a lead auditor. In a team audit, the audit can be completed more quickly. A team audit is an excellent solution for internal audits, because supplier audits usually require a single auditor. Adding a second auditor to a supplier audit would not save significant time, because travel to the supplier is still required. For an internal audit, the audit duration can be reduced from 3 or 4 days to 1.5 or 2 days. It is also possible to conduct partial internal audits that take less than a day.

Consider changing the duration of your audit schedule.

The last quarter of the year is historically hectic for everyone — especially quality assurance auditors. Therefore, we try to avoid scheduling audits near the end of the year. It’s much easier to schedule audits in the first quarter of the year (i.e., January – March). Another audit scheduling option is to create an 18-month schedule rather than a 12-month one. As stated in the YouTube video embedded above, an 18-month audit schedule ensures that several months are remaining in your audit schedule at any time.

Did you consider scheduling remote supplier audits?

If you were only planning on-site supplier audits, considering remote supplier audits expands your audit scheduling options. Remote audits are always permitted for first- and second-party audits, but they are most effective when on-site audits of the supplier have been conducted previously.  However, a remote audit is not the same as asking a supplier to complete a survey. ISO 19011:2018 provides guidance on remote auditing in the annexes. For a remote audit, you should still sample the same number of records—if not more. You should conduct interviews by phone, Zoom, or some similar technology. You should analyze any available data to help identify which processes appear to be effective and which need improvement. Suppose you are performing a remote audit for the first time. In that case, I recommend focusing on the same processes you would not generally audit in a conference room, rather than on those you would typically audit where they occur—such as production controls. Regardless of which method you use, you should always request data.

Metrics to consider for your quality auditing process

In parallel with your efforts to catch up on your audit schedule, top management should consider implementing a process metric for “on-time delivery” of audits and audit reports. This is an effective metric for managing an audit program, and it is especially important to monitor it when you have turnover among trained lead auditors. If any auditor or audit report is delivered late, investigate the reasons for the audit being overdue. If the occurrence was preventable, then I recommend initiating additional countermeasures to improve the audit process. This might include opening a CAPA. This will have two effects. First, your third-party auditors will see that you have identified the problem and taken appropriate corrective action(s). If you also discuss this during a Management Review, this information can be used effectively to change the grading of an audit finding to a “minor” or to potentially eliminate the finding altogether. Second, it will ensure that this doesn’t occur again.

Audit Scheduling Options: Are you running out of time? Read More »

Auditing Design Controls

4 Comments / ISO Auditing / By / , ,

Learn how to apply the process approach when auditing design controls and discover how audit checklists fail to identify problems.

Examples of auditing design controls with an audit checklist:

Audit checklists list each requirement in a standard or regulation. When auditing design controls, an audit checklist lists each of the ten subsections of the ISO 13485:2016 standard. For example, here are potential audit checklist questions for the first three subsections:

  • Clause 7.3.1 – Which procedure(s) defines your design control process?
  • Clause 7.3.2 – What is the design plan for your new product? When was the plan last updated?
    • a) What are the phases of your project plan?
    • b) In which phases are design reviews planned?
    • c) In which project phases are verification, validation, and design transfer activities performed?
    • d) Who is responsible for approval of design changes during the project? Who is responsible for updating the design plan as the project progresses?
    • e) How do you demonstrate traceability between hazards, design inputs, design outputs, and testing requirements?
    • f) What equipment and software do you use? What are the training requirements for your design team?
  • Clause 7.3.3 – How do you document design inputs? When were the design inputs reviewed and approved?
    • a) What are the performance requirements? What are the safety requirements? What are the usability requirements?
    • b) What are the applicable regulatory requirements and standards?
    • c) Which hazards have you identified?
    • d) Which design requirements were transferred from a previous design of your device?
    • e) How do you ensure that essential principles of safety and performance are met?

Click here to subscribe to our blog feed

How can you improve the first question on the checklist?

The problem with the above questions is that they do not evaluate linkages with other processes. For example, when you ask what procedure(s) defines the design control process (e.g., SYS-008, Design Control Procedure and SYS-006, Change Control Procedure), you can also ask the revision of that procedure(s). The record associated with that document change can be used to evaluate the effectiveness of the document control process. For example, were all the job functions that reviewed and approved the previous version of the procedure represented during the review and approval of the current revision? The procedure itself can also be reviewed to make sure that it includes the appropriate elements for a procedure (e.g., scope, references, roles/responsibilities, description of the process, revision history, etc.). This approach to verifying the effectiveness of the document control process can be applied to every procedure within every process.

What are the problems with using an audit checklist?

An audit checklist is always based on the same regulation or standard. Therefore, when establishing a quality system, using an audit checklist is ideal preparation for the initial certification audit. However, if internal auditors ask the same questions during every audit, then auditees begin to anticipate the questions. Anything not included in the audit checklist may be overlooked. For example, when auditing design controls, there are no requirements for supplier controls mentioned in Clause 7.3. Therefore, an audit checklist will not include any questions about the qualification of suppliers that support design and development (e.g., software developers), as those requirements are already addressed in Clause 7.4.2 (i.e., purchasing information).

Another problem with using audit checklists is that auditors may rely too heavily on the checklist as a crutch. Auditors are supposed to plan the audit agenda based on the importance of areas and the results of previous audits. If the auditor relies solely on the checklist, each clause is assigned equal importance — regardless of its importance or the results of previous audits. Auditors also need to verify compliance with all applicable standards. Creating a checklist for risk management (i.e., ISO 14971), software lifecycle management (i.e., IEC 62304), usability engineering (i.e., IEC 62366), and information technology security management (i.e., ISO 27001) would be extremely time-consuming, and auditors would not be able to complete all of the checklist questions. Auditors require a more efficient method to assess the effectiveness of a process and verify compliance with requirements.

Basics of the process approach to auditing

The process approach to auditing is different. Instead of creating a checklist that is specific to the requirements for each process in the standard, the process approach relies on asking seven basic questions and then following the audit trails presented by the answers to those questions. The tool we use to help us remember the seven questions is a “turtle diagram.” The shape of the turtle has seven elements:

  1. body (description of the processes)
  2. head (inputs to the process)
  3. tail (outputs from the process)
  4. leg #1 (what equipment and software is required)
  5. leg #2 (who performs the process)
  6. leg #3 (what procedures and forms are used in the process)
  7. leg #4 (which metrics are used to monitor the process)

Note: It’s only 7 steps. You don’t have to tattoo a turtle diagram on your arm.

The diagram below uses the image of a turtle to remind you of the seven elements, but we added the subclauses from ISO 13485 that are related to auditing design controls. A brief summary of how these subclauses are related is provided in the video above; more details on each part of the turtle diagram are provided below, specifically for design controls.

This turtle diagram is a tool that we use for auditing design controls and it shows the applicable Clauses from ISO 13485

Step 1 – Describe the process

The first step in creating a process audit is to identify the process owner and conduct an interview with them. We recommend doing this in their office, not in the conference room, for three reasons:

  1. Auditor effectiveness will improve if you periodically get up and walk around, because it will make you more alert.
  2. Conference rooms isolate auditors from daily operations, and the auditor may not gain an appreciation for where people perform their work or the proximity of the design team leader to the rest of the team.
  3. Auditees will be more relaxed in their office when being interviewed than they would be in a conference room.

After the process owner provides a brief description of the process, try to get answers to steps 2-7 directly from them in the same interview. Asking open-ended questions to prevent “yes/no” responses will be helpful. You also need a comprehensive understanding of the design control process before interviewing other team members or requesting design records.

Step 2 – Inputs

Even when auditors use the process approach to auditing, this part of the turtle diagram is frequently incomplete when auditing design controls. The obvious answer is to review the auditee’s approval of design inputs. This is a required record for design controls in Clause 7.3.3; however, it is not the only process input for design controls. As stated in Clause 7.3.3, “These inputs shall include…c) applicable output(s) of risk management.” Additionally, Clause 8.2.1 states, “The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.” Therefore, both risk management and post-market feedback should be included as inputs to the design process. Using the process approach when auditing design controls will show you if the interactions between the risk management process, post-market surveillance process, and the design control process are adequate. Other inputs that should be considered for the design control process include regulatory requirements, such as:

  • Common Specifications (EU)
  • General Safety & Performance Requirements
  • Applicable Safety and Performance Standards
  • Applicable FDA Guidance

Step 3 – Outputs

Most auditors do an excellent job of covering the process outputs when auditing design controls (or any process), as the outputs typically include records, and auditors document which records they reviewed in their audit report. For the design controls process, the Design History File (DHF) (i.e., Clause 7.3.10) is the primary record sampled, and the Device Master Record (DMR) is the second most commonly sampled record. With the changes to the FDA requirements for the QMSR, auditors will be looking for a Medical Device File (i.e., Clause 4.2.3) instead; however, the records should remain the same, with just a new name. If the device is CE marked, there should also be a technical file or a technical file index.

Step 4 – What Resources

A critical part of auditing is to verify that a process is not only documented but also implemented. To implement any process, equipment, or software will likely be necessary. For the implementation of design controls, most companies utilize quality system software to manage documents and records for each design project. For example, Grand Avenue Software could be used for managing the medical device file (i.e., Clause 4.2.3), and AdaptivRisk may be used for managing the risk management file. There may also be some calibrated testing equipment that requires validation, calibration, and maintenance. Therefore, this step in the turtle diagram usually involves the following ISO 13485 clauses:

  • Clause 7.5.6 – process validation
  • Clause 6.3 – infrastructure (i.e., maintenance)
  • Clause 7.6 – monitoring of measurement equipment (i.e., calibration)

This is typically the step of a process audit where the auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the “Turtle Diagram” presented above.

Step 5 – Who

The next step in the process approach to auditing design controls is to identify who is assigned to the design team for a design project. Sometimes companies assign large teams. In this case, the auditor should focus on the team members who must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.4). All team members should have training records (i.e., Clause 6.2) for Design Control procedures and Risk Management procedures. However, if the device includes software and internet connectivity, some members of the design team will require additional training on specific standards and protocols. It is also necessary to outsource processes that cannot be performed by the manufacturer, such as software development, cybersecurity testing, biocompatibility testing, and EMC testing. For these outsourced processes, the company must document the supplier’s qualification and establish a written agreement with that supplier (i.e., Clause 7.4.2). Examples of agreements could be a supplier quality agreement, a consulting contract, or a signed GLP testing protocol.

Step 6 – Standard Operating Procedures (SOPs) or “How done”

Auditors using the process approach to auditing often discover ineffective processes when they expand the scope of design controls beyond the scope of the design control procedure. The design team leader will identify the design control procedure(s) and forms. However, the auditor should also request copies of the risk management procedure and other related procedures. The other procedures may have different process owners, and the design team leader may not be adequately trained in those procedures. The auditor should not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records. You may also want to ask if there is another person who is more familiar with the procedure. This step of the process approach is also when you should be sampling records of document control (i.e., Clause 4.2.4).

Step 7 – Metrics

The seventh step of the turtle diagram is typically where the auditor discovers the most value-added findings. The auditor will ask the process owner to identify some metrics (i.e., Clause 8.2.5) or quality objectives (i.e., Clause 5.4.1) they are using to monitor and improve the design and development process. This is a struggle for many process owners — not just the design team leader. If any metrics are not performing up to expectations, there should be evidence of actions being taken to address this. If the process owner is not tracking metrics, you may want to review how closely the actual project schedule aligns with the design project plan. Design projects are frequently delayed because the design team either does not request quotes early enough or does not involve the supply chain manager soon enough, or both. There is also considerable benefit derived from conducting retrospective reviews at the end of design phases and at the project’s conclusion. The team will identify changes in time estimates that should be considered for future design projects or other ongoing projects.

Supplementary questions for auditing design controls

After all seven steps of the turtle diagram are complete, the process audit is not yet complete. The auditor needs to sample records and follow audit trails to ensure thoroughness. Therefore, additional records need to be sampled. We recommend sampling design changes because this is where inspectors and third-party auditors will typically focus. These external auditors will be looking for design changes that need regulatory approval and may not have been submitted for market authorization. The auditor may also sample using a risk-based approach when sampling design changes. In particular, we recommend looking for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, the audit will also cover the following clauses in ISO 13485:2016: 7.4 (purchasing), 7.3.9 (design changes), 7.5.6 (process validation), 7.1 (risk management), and 4.2.5 (control of records). If you would like to learn more about design changes, please watch our Design Changes Webinar.

Record sampling for auditing design controls

FDA inspectors and third-party auditors have similar approaches to auditing design controls. Both will begin by reviewing your procedure to verify that it includes all of the required elements of ISO 13485:2016, Clause 7.3. Next, they will sample a recent design project that was completed and request a copy of the design history file (DHF). Many design projects are behind schedule, and therefore, this is an important metric for most companies. Now that you have completed your “Turtle Diagram,” if you have more time, you can conduct interviews with team members to review their roles in the design process. You could also sample-specific Technical Files, as I indicated above. If you are performing a thorough internal audit, I recommend doing both. To learn more about using the process approach to auditing, you can register for our webinar on the topic.

Auditing Design Controls Read More »

Process Approach to Auditing

4 Comments / ISO Auditing / By / , ,

The process approach to auditing is demonstrated using Turtle Diagrams as a tool instead of using traditional auditor checklists.

ISO 9001 Quality System Principles

ISO 9001 is the general quality system standard that was created in 1994. The ISO 9001 standard forms the basis for all other international quality system standards–including ISO 13485. There are seven quality system principles that form the basis of ISO 9001:

    1. Customer Focus
    2. Leadership
    3. Engagement of People
    4. Process Approach
    5. Improvement
    6. Evidence-based Decision Making
    7. Relationship Management

Click here to subscribe to our blog feed

Is there more than one method of auditing?

There are several different approaches to conducting an audit:

  1. Regulatory checklist
  2. Procedural approach
  3. Element approach
  4. Contract audit
  5. Product audit
  6. Process approach

Each of these approaches to auditing is a valid approach. However, each approach has benefits and disadvantages. Therefore, an audit program manager should be knowledgeable of each approach when they are making recommendations to top management with regard to the audit program schedule.

Regulatory Checklist

The most common method of auditing is to use a regulatory checklist. This is the approach used by certification bodies for the Medical Device Single Audit Program (MDSAP). For each regulatory requirement or standard, there is a row in a checklist. This approach is also known as the element approach, because each clause or section of the applicable requirement constitutes an “element.” The requirements are in the left column, and the requirement is usually referenced (e.g., clause number). The subsequent columns of the checklist are intended to document which documents and records the auditor reviewed. The last column of the checklist is where the auditor documents what they looked for in those documents and records.

Each audit checklist is based on a standard or regulation. Therefore, if there are multiple applicable standards and regulations, multiple checklists would be needed to use this approach exclusively. The biggest disadvantage of this approach is that auditors use the checklist as a crutch and will ask only the questions on the checklist. The greatest benefit of this approach is that auditors can verify that all the requirements of a standard or regulation have been met. This is generally the best approach for internal auditing just prior to an initial certification audit (i.e., Stage 1 and Stage 2).

Procedural approach to auditing

The procedural approach to auditing is similar to the element approach. However, a checklist does not need to be created in advance, and for supplier audits, it is not practical to invest the time in creating a checklist for a supplier’s procedures. In the procedural approach, the auditor reviews the procedure and identifies important elements of the procedure to verify are being performed. Often, this is achieved by making a copy of the procedure and highlighting requirements in the procedure to verify.

A contract audit is also similar to a procedural audit, but instead of using a procedure as the basis for the requirements, a supplier contract is used instead. If the supplier contract includes a quality agreement with all of the quality system and regulatory requirements defined, this approach may duplicate all requirements of a regulatory checklist. The biggest disadvantage of this approach is that it is unable to identify failures in the interactions between processes. This approach is ideal as an audit of a new or revised procedure, but the auditor may need to supplement this approach with the process approach to identify gaps in those interactions.

What is a product audit?

Product auditing involves auditing everything associated with a single product or product family. This is typically done when a new product is being launched, and the medical device manufacturer wants to audit manufacturing processes prior to launch (or a supplier if the manufacturing is outsourced). The auditor may review anything in the device master record (DMR – 21 CFR 820.181 in FDA QSR) or medical device file (MDF – ISO 13485:2016, Clause 4.2.3).

Product audits are also the approach used for unannounced audits. Unannounced auditors verify that the devices being manufactured and inspected match the drawings and specifications in the technical documentation that is approved for CE Marking. This verification includes inspection and testing methods for product release. Certification body auditors and FDA inspectors are both trained to focus on design changes, inspection methods, and especially the final test of devices prior to release. This focus is a risk-based approach where auditors sample the most important processes. If you are conducting a product audit, we recommend mirroring this approach.

What is the process approach to auditing?

The process approach is just a different way of organizing audits. Instead of auditing by clause, procedure, or product, you audit each process. Typical processes include:

  1. Design & development
  2. Purchasing
  3. Incoming inspection
  4. Assembly
  5. Final Inspection
  6. Packaging
  7. Sterilization
  8. Customer Service
  9. Shipping
  10. Management review
  11. CAPA
  12. Internal Auditing

Why the Process Approach is Recommended

The process approach to auditing is preferred over all other methods for two reasons. First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments, the process approach will expose it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked.

Second, the process approach is a more efficient way to cover all the clauses of a standard than auditing each clause individually (i.e., the element approach). My rationale for the claim of greater efficiency is simple. There are 34 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are incorporated into each process audit.

For example, each process audit requires a review of both the records as input and the outputs. In a process audit, training records can be sampled for each employee interviewed during the audit as part of an audit trail. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment. The tool we use to teach the process approach is the “Turtle Diagram.” The diagram below illustrates the origin of the name.

Turtle Diagram explaining why the process approach to auditing tool is called a turtle diagramInterviewing with the Process Approach

The first skill to teach a new auditor is how to interview. Each process approach audit should begin with interviewing the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next, most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique because it is “closed-ended” or yes/no. Closed-ended questions do little to gather objective evidence. Instead, start your interview with this simple request: “Please describe the process?” A process description gives you a general overview of the process if you are unfamiliar with it.

After receiving a general overview, try asking this question: “How do you know how to start the process?” Inspectors know that there is material for incoming inspection because raw materials are in the quarantine area. Companies use visual systems, electronic materials requisition and planning (MRP) systems, and paper-based systems to notify QC inspectors that the product is ready to be inspected. As an auditor, you are looking for a record to trigger the inspection process. A follow-up question is, “What are the outputs of the inspection process?” Once again, auditors need documents and records to review. Sampling inspection records and any associated records (e.g., certificates of analysis) are records the auditor samples to verify the effectiveness of the inspection process (i.e., Clause 7.4.3) and the process for control of records (i.e.,  Clause 4.2.4). The process approach allows the auditor to verify compliance with two clauses simultaneously.

The next step of the process approach is to “determine what resources are used by incoming inspection.” This includes gauges used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures, and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list, the auditor should select people to interview and follow up with a request for training records.

The sixth step is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures, this could potentially waste valuable time. Instead, you can ask the inspector to show you where to find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.

Challenging Process Owners

The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should review department quality objectives and assess if the department objectives are linked with company quality objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step is also where the auditor can sample and review the monitoring and measurement of processes, and the trend analysis can be verified to be input into the CAPA process.

In my brief description of the process approach, I used the incoming inspection process. I typically choose this process for training new auditors because it is a process that is quite similar in almost every company, and it is easy to understand. More importantly, however, the incoming inspection process does an effective job of covering more clauses of the Standard than most audits. Therefore, new auditors get an appreciation for how almost all the clauses can be addressed in one process audit. If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing.

Process Approach to Auditing Read More »

Software vendors – How do you audit software developers?

1 Comment / ISO Auditing / By / ,

Learn how to qualify and audit software vendors to develop software as a medical device (SaMD) and software in a medical device (SiMD).

How do you audit medical device software developers?

Software medical devices are used to assist medical professionals. For example, radiologists use software to identify areas of interest for medical imaging. Do you know how to audit software vendors?

As a third-party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software (i.e., software as a medical device or SaMD), there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to SaMD products. If the software is web-based, the shipping and distribution clauses (i.e., – 7.5.1) might also present a challenge to an auditor.

Click here to subscribe to our blog feed

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained in auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most calls represent potential complaints related to software “bugs,” system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a workaround for identified problems. The problem with a “workaround” is that it is the opposite approach to the CAPA process. To meet ISO 13485 requirements, software companies must show evidence of monitoring and measuring these “bugs.” There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity of software operations and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to the prioritization of CAPAs. This risk-based approach should focus on the severity of effects upon patients—not users. This focus on safety and performance is emphasized throughout the EU Medical Device Regulations and it is a risk management requirement in ISO 14971.

Referral to one of our favorite software developers

There are many vendors to choose from worldwide, but we prefer to work with smaller companies because our clients are start-up companies. We also prefer to work with vendors focused on the medical device industry. We also look for vendors that complement Medical Device Academy’s quality and regulatory expertise. Bold Type is a perfect example. The video below showcases the President and Founder–Jose Bohorquez. Bold Type provides software development services, cybersecurity consulting services, and software consulting services. If you are interested in speaking with Jose direct, please schedule a meeting with him online.

PS – We do not receive compensation from Bold Type–we just prefer to partner with firms that are ideal for our customers.

Software vendors – How do you audit software developers? Read More »

Scroll to Top