AUDITING A QMS ACCORDING TO ISO 13485

When considering obtaining an ISO 13485 certificate, developing and implementing a quality management system (QMS) is not the end of the road. Indeed, medical device manufacturers must first ensure that their QMS conforms with the specified requirements and is effectively implemented and maintained, i.e., conduct an audit. On the path towards ISO 13485 certification, manufacturers should undergo an internal audit and then an external certification audit. Hence, we have prepared this article to support manufacturers in understanding the auditing process toward ISO 13485 certification.

What is a QMS audit?

The definition of audit in the context of QMS is provided in ISO 19011:2018 Guidelines on auditing management systems, together with other essential definitions:

herefore, QMS audits objectively evaluate whether a management system complies with a pre-specified set of requirements.

In the EU medical device sector, QMS audits are conducted to ensure compliance with the requirements of certain ISO standards (13485,14155,etc.), EU regulations (EU MDR 2017/745 and EU IVDR 2017/746), and local requirements (such as the manufacturing licence in Spain). 

The audit program, audit conduct and auditors’ competence

Audit programs aim to establish the guidelines for auditing a QMS with specific objectives during a determined period, i.e., annually. Audit programs should include the roles and responsibilities of the persons managing the audit program and their competence. 

Generally, auditors will prepare a specific plan for each audit within the program. The audit plan will describe the objectives, scope, and criteria that should align with the overall audit program objectives.

Below you can see the typical audit process and the most relevant activities.

The competence of the audit team is critical for the success of QMS audits. ISO 19011 clause 7 focuses on the competence and evaluation of auditors and considers personal characteristics, generic knowledge and skills, the knowledge of the relevant management system discipline, industry sector, regulations, and auditor competence.

When conducting an audit, auditors should keep in mind the principles of auditing:

• Integrity
• Fair presentation
• Due professional care
• Confidentiality
• Independence
• Evidence-based approach
• Risk-based approach

Internal audits

Internal audits are also referred to as first-party audits and are a requirement for medical device manufacturers per ISO 13485 clause 8.2.4:

“The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

• conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;
• is effectively implemented and maintained.”

Internal audits are conducted by the organization to review its QMS, determine whether its processes are improving its ability to provide products and services to customers and evaluate the system’s conformance with the standard’s requirements. 

Internal audits should be conducted following an audit program, including the processes/areas to be audited, the frequency of reviews, audit criteria, scope, and methods. When preparing the program, a risk-based approach should be used (i.e., a process or area that has had several findings in the past will be more often audited than one area that has consistently shown to be compliant). Most companies plan annual internal audits to cover two to four areas each quarter. The frequency of internal audits depends on the organization, but at least one annual audit would be required..  

The output from the internal audits serves as one of the inputs for the management review, where the organization’s management team will discuss the findings from the internal audit and decide on follow-up actions. 

When conducting internal audits, manufacturers should factor in that the internal audit should not be undertaken by the person in charge of developing the system or overseeing the process to ensure objectivity and impartiality. As ISO 13485 indicates: 

“Auditors shall not audit their own work.”

External audits

External audits include second and third-party audits:

• Second-party audits are conducted by parties interested in the organization (i.e., a prospect or a customer). For example, a manufacturer that outsources the sterilization process might perform an audit to qualify the sterilization provider. Second-party audits are often conducted to comply with ISO 13485 clause 7.4.1.
• Third-party audits are conducted by external, independent auditing organizations that provide certifications or governmental agencies. Third-party audits are designed to reduce the need for second-party audits as certification assures potential customers that the QMS complies with the standard. Usually, third-party audits are divided into two phases: in the first phase, the auditor focuses on the evaluation of documented procedures; if successful, in the second phase the auditors will assess the implementation and effectiveness of the QMS. However, the audit plan and methods depend entirely on the organization performing the audit and its resources. 

Do I need to perform an internal audit? And the external?

As stated above, the internal audit is a requirement according to ISO 13485 clause 8.2.4. In addition, to build a 13485-compliant QMS, the organization should document a procedure to describe how the internal audit will be planned, conducted, and reported. The organization should also maintain records of the audit results.

The external audit is not compulsory to comply with ISO 13485, but it is required to obtain official certification. Although several organizations provide ISO 13485 certificates, we recommend selecting an accredited certification body. These bodies are independently assessed by accreditation bodies and comply with ISO 17021 (Conformity assessment. Requirements for bodies providing audit and certification of management systems). 

Maintain your QMS under ISO13485: Follow-up audits

Once the QMS has been established, implemented, and certificated, the organization should ensure the maintenance of the system. Towards this purpose, the organization should periodically plan and conduct internal audits. The internal audit’s scope, objectives, and plan will be detailed annually and vary according to company objectives and performance. Moreover, following certification, the certification body will audit the QMS system annually. In addition, top management needs to include any feedback received from audits, both internal and external, as input to the management review meeting.

AKRN 13485 Quality Services

Our Quality Assurance team can support you with a wide range of activities: 

• If you are a MedTech start-up, our team can support you in developing and implementing the complete QMS under ISO 13485 and MDR/IVDR.
• Perform gap assessments of the QMS under ISO 13485, where the team identifies the gaps of your QMS and proposes implementation measures.
• Our team of certified Lead Auditors can also support your company in developing and implementing specific QMS documentation required under ISO 13485, MDR, IVDR, or local requirements (such as the manufacturing license in Spain) for your activities. 
• Our internal auditors will support you in performing internal audits under ISO13485 to ensure independence in your auditing process. 
• Have you already had your external audit? We can provide consultancy services to support you in resolving the findings or designing methods to implement the opportunities for improvement.

AKRN 13485 Lead Auditors

Ariadna Navarro Aragall, Ph.D. Associate Director RA & QA LinkedIn

José Velazquez, M.Sc.
Quality Assurance Manager LinkedIn

Arancha López-Pérez, Ph.D.
Regulatory Affairs Scientist LinkedIn