Hello and welcome to the final installment of our QMS series on MedTech Compliance Chronicles! We've now navigated through all the intricacies of the Quality Management System, covering everything from design controls to CAPA processes. This week, we focus on the cornerstone of quality assurance: internal audits. These audits play a vital role in maintaining compliance with regulatory standards and driving continuous improvement within your organization. Join me as we break down the requirements, methodologies, and best practices for conducting thorough and effective internal audits.
The activities required for internal auditing apply to two separate tasks: the overall audit program and each individual audit. Many of the tasks are the same in each, just more or less general depending on whether you are planning for a specific audit or the overall program. You will need to plan both and establish the objectives and scopes of the program and each audit as well as the competence and independence of auditors. You will need to conduct the audits, then you will also need some method of analyzing the effectiveness of the audit program and methods for follow-up actions for each audit.
Planning & Preparation
Planning and preparation for internal audits ecompasses many of the same overall requirements for planning of most QMS activities. It starts with defining the objectives and scopes of the audit program and each audit within the program, followed by identification of the risks and opportunities. After all of that is worked out, you will define the roles and responsibilities within the audit program, establish the competence required for each role and resources required for the audit program and for each audit.
The objectives and scope of an audit program should be related to establishing evidence of the conformance of the quality management system to regulations or internal standard (21 CFR part 820 or ISO 13485:2016). Depending on the number of individual audits within the program, the objectives and scope for each audit may be either the same or a subset of the overall program’s objectives and scope. For example, for smaller companies, a single annual internal audit that reviews all requirements might be appropriate. In this case, the objectives and scope for that audit would be to establish evidence of conformance of the QMS to the regulations (or standard), the same as the overall audit program. However, if the organization is large or if the structure is very complex (such that it makes establishing independence for a single person across all requirements not possible) then the audit program may consist of multiple audits that focus on specific parts of the QMS requirements. In these cases, the audit objectives would be to establish evidence on conformity to specific subsections of part 820 or clauses of ISO 13485:2016 and the scope would be limited to the processes described in those subsections/clauses.
The identification of risks and opportunities is a standard practice in most planning scenarios. For audit risks and opportunities, you first have to ensure that all parts of the management system are covered! At this point you should begin thinking of two things 1) how many audits are required to meet the program objectives? And does the organization have sufficient independence among its personnel to fully audit the management system internally? Needing multiple audits will increase the risk of the program not being fully comprehensive of the QMS but could also reduce the time constraint for internal personnel during audits. For sufficient independence, first we will speak to why this is important. By regulation and standard, auditors are not allowed to audit their own work or work for which they are responsible, i.e., the plant manager should not audit manufacturing operations, even though he may not have performed the work himself, he is responsible for its completion. This requirement for independence is where the need for multiple audits arises in many organizations, because they simply do not have one person who is independent from everything to be able to audit everything. Another method around this is to hire an external auditor to perform your internal audits. The need to contract out internal audits is an important consideration in evaluating risks and opportunities as bringing in a person new to the operations of your organization for any period of time could result in risk.
After risk evaluation, the next steps will be to establish the roles and responsibilities for the audit program and provide the resources necessary to carry it out. Part of establishing the roles and responsibilities will also be establishing the competence of those carrying out audit activities. The competency of auditors refers to three primary things 1) their knowledge of the QMS requirements 2) their knowledge of the particular subject matter of the organization’s technology and 3) their knowledge of auditing. Depending on whether the plan is to contract out internal audits or carry them out internally, certain aspects of these requirements need some more scrutiny. If the audits are planned to be carried out internally, your training and hiring processes should have established a degree of competency already but the roles and responsibilities need to be thoughtfully examined to ensure independence is maintained throughout all areas of the management system. On the other hand, if you plan on contracting out internal audits, roles and responsibilities of the individual audits are less scrutinized as the external auditor should not have any conflicts, however, you must do your due diligence in ensuring that the selected auditor is actually competent to audit your management system. Resources for audits depend on the specific situation but oftentimes include access to certain restricted areas, PPE for auditors and guides/supervision around the manufacturing environment.
Execution
Now that we have put together a solid plan for how we will conduct our internal audit(s) it is time to begin executing them. In general, most audits follow a very similar structure. The auditor(s) will open on the first day with a meeting that introduces themselves and presents the plan for the audit. This will typically detail at a minimum the criteria against which the organization is being audited (the regulations and/or standards), the gradings on nonconformities and methods for disputing findings. After that, the auditor(s) will begin their auditing activities. The audit will typically close with a very similar meeting to the opening meeting.
Auditing activities will follow an overall process of collecting information, comparing it to the audit criteria and reaching conclusions based on the comparison. The information will be collected via means of observations, interviews and procedure reviews. Only information which can be verified by some means will be considered as evidence. The means of verification will be the same as the means of collecting it with the auditors observing the actual production facilities in detail as opposed to what might have been observed in an initial tour. They will interview actual employees to verify that work is performed as described in procedures and as described when interviewing management. They will review records of production information to ensure that all production requirements are being met including, identifying and segregating nonconforming product, traceability, in-process and final inspections are performed and documented accordingly, etc. Whatever evidence is found will be compared against the audit criteria, which will be at a minimum title 21 part 820 requirements and whatever internal requirements you have established. Internal requirements encompass all of your organization’s documented requirements, or essentially, what you say you do in your procedures. Something to remember when writing your procedures is that once you document it, it becomes an auditable requirement. With the results of the comparisons the auditor will determine if, based on the evidence, the organization is in conformance with the requirements or nonconformance.
After all auditing activities are completed, the closing meeting will be conducted. The closing meeting generally includes the same attendees as the opening meeting. The closing meeting will discuss the findings and any follow up activities required. The methods and communication channels for resolving any disputes about the audit should also be communicated in this meeting.
Follow-up & Reporting
Unfortunately, the conclusion of the audit itself does not conclude the work for the audit. Every audit must have a report and, if nonconformities are found, follow up activities are usually required. Follow up activities are typically just generating a corrective action plan for the found nonconformances and providing evidence of the completion and implementation of the corrective actions. Depending on the severity of the nonconformance, a re-audit of the deficient areas may be required. After all follow-up activities are completed, the auditor will generally issue the official audit report within two weeks to one month. The report is required to be reviewed by managers who have responsibility over the areas that were audited. The reports should also be reviewed in management review to assist in determining the effectiveness of the overall audit program.
Conclusion
In conclusion, internal audits are a vital component of the Quality Management System, ensuring that all processes meet regulatory standards and organizational policies. By meticulously planning, executing, and following up on audits, organizations can identify areas for improvement, enhance compliance, and foster a culture of continuous quality enhancement. As we wrap up our series on QMS requirements, remember that the true value of internal audits lies in their ability to drive meaningful, data-driven improvements across your entire organization.
Comentários