One of the most important checking tools in a Quality Management System (QMS) for medical devices, or any management system, is the internal audit. The ISO 13485:2016 requirements are very clear that this is a critical element of your QMS; and, since you want to know how your processes are functioning, your internal audits become a key resource. Although audit checklists are not stated as a requirement in the ISO 13485:2016 standard, they are a widely used and important tool to make sure that when you perform an internal audit on a process, you do not miss any elements of that process.
What does ISO 13485:2016 require the internal audit to do?
To better understand the why and how of internal audit checklists, it is helpful to understand what the ISO 13485:2016 requirements state about why we do internal audits. As per clause 8.2.4 of the standard, the internal audit is there to perform two functions:
- to make sure that the processes are meeting the planned arrangements and regulatory requirements that the company has identified for the process in the QMS, and any requirements that the ISO 13485:2016 standard has in place for that process
- to make sure that the process is implemented and maintained effectively
So, when you are creating an audit checklist, you want to include the information needed to make sure that you successfully check these two outcomes of the process.
How do you create a checklist to check conformance?
An internal audit is there to witness the outcome of a process through a review of records or witnessing the actions of the employees, and then to compare this to the planned arrangements for the process to see if what is being done is what was planned. As can be seen above, there are two sets of planned arrangements to check: those required by ISO 13485:2016, and those that the company has put in place for their process to function.
For example, if you are auditing a purchasing process against the ISO 13485:2016 standard (section 7.4.1), you will want to confirm that external providers are evaluated, selected, monitored, and reevaluated based on their ability to provide processes, or products and services, according to the requirements, and that their lack of commitment would affect their risk associated with the purchased product. This is the ISO 13485:2016 requirement. The company might also specify that this is done using an audit of the customers every three years, which would be the company-defined criteria for the process.
From this, we can start to create the audit checklist. An audit checklist is basically a set of questions that the auditor wants to ask, or activities that the auditor wants to witness, in order to verify the planned arrangements as above. The checklist is created by reviewing the ISO 13485:2016 standard and any documented procedures or undocumented processes for the activity to determine what should happen. For the example above, the audit checklist could include questions on supplier evaluation, and a review of the supplier audit reports that have been collected, to see if they are done when determined by the QMS.
The checklist can include more than just questions; it can also include statements from the procedures that the auditor wants to check. Remember that the checklist is a tool for the auditor, and not something to give the auditee to fill out, so whatever format or questions and statements will be useful for the auditor to make sure that all important parts of the process are checked will work.
How can you tell if the process is effective?
The second part of the ISO 13485:2016 internal audit requirements can be trickier to evaluate; but, depending on the process, implementation can also be quite simple. Many companies will use the concept of key performance indicators for the processes when satisfying the ISO 13485:2016 requirements to evaluate performance. This concept is for the process owner to have one or several main measures for their process that will let them know that the process is functioning as expected.
So, if you have key performance indicators (KPIs), and these are maintained by your process owners, an assessment of process effectiveness can be included on your internal audit checklist by reviewing the KPIs and determining if the measures are showing that the process is meeting the expected outputs. If KPIs are not formally used, then asking the process owner how they know their process is effective is another good line of questioning for the internal audit checklist.
Why should you use checklists in your internal audit?
While the ISO 13485:2016 standard does not include requirements that state an internal audit checklist must be used, it is a useful and effective way to document the questions you need to ask to ensure that your process outputs meet the planned arrangements for your process. When you are reviewing your process plans, you can write down what you need to check, and in this way you can make sure that nothing important is forgotten. When you have finished an internal audit, you do not want to find that you have neglected to collect the proper information and need to reschedule your audit to complete it.
So, like many other tools in the QMS, the internal audit checklist is a time-saving tool that will help prevent mistakes, and if you are interested in implementing a lean-but-useful QMS, then tools such as the internal audit checklist are invaluable to help you in this endeavor.
For a graphical representation of the implementation process, check out this free Diagram of ISO 13485:2016 Implementation Process.