Standard Operating Procedure: ISO 13485:2016 Internal Audit Protocol

Introduction

This Standard Operating Procedure (SOP) outlines the mandatory requirements and procedural steps for conducting an internal audit against ISO 13485:2016 standards. The objective is to verify that the Quality Management System (QMS) is effectively implemented, maintained, and remains compliant with regulatory requirements for medical devices. This audit serves as a critical tool for identifying non-conformities, assessing process risks, and driving continuous improvement.

1. Audit Preparation & Documentation

• Audit Scope Definition: Clearly define the physical locations, departments, and specific processes (e.g., Design & Development, Purchasing, Production) to be audited.
• Team Selection: Ensure auditors are independent of the process being audited to prevent bias.
• Document Review: Review the previous audit report, current Quality Manual, and open Corrective and Preventive Actions (CAPAs) to identify high-risk areas.
• Schedule Notification: Distribute the audit agenda to process owners at least 5 business days in advance.

2. Quality Management System (QMS) & Management Responsibility

• Quality Manual: Verify the manual is current, approved, and clearly maps the scope of the organization’s medical device activities.
• Management Review: Check records of management reviews to ensure top management is evaluating the effectiveness of the QMS at planned intervals.
• Resource Management: Validate that personnel are competent based on appropriate education, training, skills, and experience.

3. Product Realization & Design Control

• Design & Development (D&D): Review D&D files. Ensure design inputs, outputs, verification, validation, and design changes are documented and controlled.
• Risk Management: Confirm that ISO 14971 standards are applied throughout the product lifecycle; ensure risk files are updated with current clinical data.
• Purchasing Controls: Audit the Approved Supplier List (ASL). Verify that suppliers are periodically evaluated and monitored based on their ability to meet requirements.

4. Production and Service Controls

• Cleanliness & Contamination: Check that processes for product cleanliness and contamination control are implemented and monitored.
• Traceability: Verify that unique device identification (UDI) or batch/lot tracking is functional and effective for all products.
• Validation of Processes: Ensure that any process where output cannot be verified by subsequent monitoring (e.g., sterilization) is validated.

5. Monitoring, Measurement, and Improvement

• Internal Audit Records: Verify that internal audits are conducted according to the schedule and that findings are documented.
• CAPA System: Review the CAPA log. Ensure root cause analysis (RCA) is performed and that corrective actions are verified for effectiveness.
• Customer Feedback: Review complaints and feedback mechanisms. Ensure that customer complaints are investigated and reported to regulatory authorities if required (MDR/Vigilance).

Pro Tips & Pitfalls

• Pro Tip (The "Show Me" Method): Don't just ask, "Do you follow this procedure?" Ask, "Show me how you execute this process," and request a recent record as evidence.
• Pitfall (Incomplete Documentation): A common audit finding is the "If it isn't documented, it didn't happen" scenario. Even if a process is perfect, a lack of objective evidence constitutes a non-conformity.
• Pitfall (Ignoring Changes): Auditors often miss changes in software versions or equipment calibration status. Ensure that change control is applied to all modifications, regardless of how minor they appear.
• Pro Tip (Focus on Risk): Dedicate more audit time to processes with the highest clinical risk to the patient.

FAQ

Q: How often must an internal audit be performed? A: ISO 13485 requires internal audits to be performed at planned intervals. Generally, this is interpreted as a comprehensive audit of the entire QMS at least once per calendar year.

Q: What is the difference between a minor and major non-conformity? A: A minor non-conformity is an isolated incident where a requirement is not met. A major non-conformity represents a systemic breakdown of a process or a significant risk to product safety and regulatory compliance.

Q: Can I audit my own department? A: No. To maintain objectivity and impartiality, auditors must not audit their own work or processes they are directly responsible for managing.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What is the primary goal of an ISO 13485:2016 internal audit?", "acceptedAnswer": { "@type": "Answer", "text": "The primary goal is to verify that the Quality Management System (QMS) is effectively implemented, maintained, and compliant with regulatory requirements for medical devices." } }, { "@type": "Question", "name": "How far in advance should audit agendas be distributed?", "acceptedAnswer": { "@type": "Answer", "text": "Audit agendas should be distributed to process owners at least 5 business days before the audit to ensure proper preparation." } }, { "@type": "Question", "name": "Why is auditor independence important in ISO 13485 audits?", "acceptedAnswer": { "@type": "Answer", "text": "Auditor independence is required to prevent bias and ensure an objective assessment of the processes being audited." } } ] } </script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "ISO 13485:2016 Internal Audit Protocol SOP", "applicationCategory": "Compliance Management Software", "description": "Standard Operating Procedure template for executing internal audits according to ISO 13485:2016 standards for medical device QMS.", "operatingSystem": "All", "offers": { "@type": "Offer", "price": "0.00", "priceCurrency": "USD" } } </script>