Are Medical Audits Improving Systems Or Only Driving Fixes? 

Is there a potential downside to medical audits wherein the audits are focused on finding and fixing problems? A recent discussion with a medical professional piqued my interest in the value of Medical Audits given that QMII, a subject matter expert in auditing, has ventured into the medical auditing field. This led to a conversation with a few additional healthcare professionals to understand a little more about medical audits, their findings and how organizations address them. My additional reading outlined a lack of effective systemic corrective action. In this article, I discuss some aspects of the medical audit process and what organizations can do to improve the process of audits and of implement corrective action.  

There are various types of medical audits including clinical audits, billing/coding audits, financial audits, operational audits and compliance audits. While there are regulations, protocols and standards against which these audits are conducted, in many cases, industry-best practices are also used as audit criteria. This brings subjectivity into the audit as ‘best practices’ knowledge may vary from auditor to auditor based on their experience. Auditing to an auditor’s experience has a major drawback not just in the medical industry but in all industries. It takes the auditors away from requirements which then results in biased inputs to the leadership that may be inaccurate.  This also leaves the auditee (the organization being audited) on the receiving end of findings for which there are no certain requirements. That is, they may make changes to their system based on the finding of one auditor only to find that another auditor objects to the very actions they implemented based on the previous auditor. 

Medical Audits and Recommendations 

In medical audits, it is common practice for auditors to provide recommendations to address findings. These recommendations are based on experience and industry-best practices. In ISO audits this is not allowed. In most industries, including the healthcare industry, there is no obligation to act upon any of the recommendations of an auditor. However, if auditors are perceived to be in a position of authority, then there is an underlying implication that the audit recommendation must be implemented. This is for fear of the nonconformity occurring again only for someone to say, “the auditor told you what to do and no action was taken”. This then also implies, audits do not delve deeply enough to identify systemic weaknesses within the processes or the workflow. 

In speaking with the medical professionals within my professional circle of friends, it was surprising to hear that in many cases the personnel being asked to address the audit findings are unaware of any root cause analysis methodologies nor have they been given any formal training in the subject. Further, they are not clear about what a CAPA is but do know that they need to provide some action to close out the finding. In such cases, is it then fair to expect effective corrective action? Perhaps, the lack of effective corrective actions perpetuated the need for auditor recommendations! 

Without proper training, it is but natural for personnel responding to audit findings to default to the recommendations of the auditor and implement those actions prescribed by the auditor as the corrective action in and of itself. Sadly, in such cases the root cause of the issue goes unaddressed. Sometimes such cases may lie in inadequate resources, technology or even lack of guidance/policy from leaders. While the aim of the audits is to identify where the process may require additional controls, all for providing better healthcare for the patient, the outcome may only be a band-aid. 

What can be done to change this? 

While change may not come overnight, there are a few key steps that can be taken to improve the audit process overall right up until corrective action and meet the end goal of providing better healthcare.  

Auditor training – Auditors must be trained to remain objective through the audit process, to focus on the requirements (criteria) of their audit, to focus on factual evidence and objectively assess it (yes, no experience!). Further they must understand the implications of providing recommendations and thus not provide any recommendations. The auditors are but to focus on assessing the effectiveness of the corrective action plan submitted and verifying the effectiveness of actions taken.  

Root Cause Analysis Training – Healthcare organizations must invest in providing their personnel with training in the different root cause analysis methodologies and how to apply it to identify the root cause(s) of a problem.  

Reinforcing that Recommendations need not be accepted/addressed – Organizations must be professional to build the courage to stand up to auditors and not accept recommendations. Auditors do not know all facets of the process from the short sample of the organization they witness. If their “advice” in the recommendations is wrong/ineffective, who then pays the price? 

Auditor Selection – ISO 19011 provides guidance on the behaviors and skills that an auditor should exhibit, and these are applicable to an auditor selected to conduct any type of audit. Auditors must be evaluated periodically to ensure they are remaining objective through an audit and working to identify the effectiveness of controls and adequacy of resources in assessing if the overall objectives have been met. To learn more about how QMII can support your organization’s audit process, click here

Julius DeSilva, Senior Vice-President

Is your organization ready for MDSAP?

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.  

As your company prepares for this new audit scheme perhaps the easiest thing to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In the conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are the priorities that need to be addressed immediately.  

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit, the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.  

Make sure personnel are trained and understand well the expectations. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.  

Managing Risks related to ISO 13485

ISO 13485 sets the requirements for a quality management system for those organizations in the medical device industry. While there are many mandatory regulatory requirements issued by each country related to medical devices, ISO 13485 remains a voluntary standard. The need for certification to the standards stems either from a customer requirement or from a need to market to customers that the organization used a system and risk-based approach to managing quality and continual improvement.
The standard was recently revised in 2016 and includes a greater emphasis on risk than that of the 2003 revision. Risk-based thinking has been emphasized across all ISO requirement standards and is core to implementing a system that is proactive in nature. Risk in its new avatar encourages organizations to look beyond just product safety risk. Organizations complying with ISO 13485 now have to also consider organizational risk and the risk or not meeting compliance obligations. The lifecycle of the product needs to be considered in assessing risks.
Risk however can be a subjective topic and to ensure that an organizational appetite for risk is developed a risk criterion must be determined by the leadership that will then be the basis for all risk assessments. Risk assessment for medical devices use the same basis of likelihood of occurrence and severity in calculating the overall risk. Organizations may consider a third factor prescribed by FMEA that takes into account the probability of detection. Either before the risk occurs or as soon as it occurs so that the consequence can be minimized.
ISO 13485 clause 4.1.2(b) requires “The organization shall apply a risk-based approach to the control of appropriate processes needed for the quality management system.” ISO 14971 is another standard that provides guidelines on the risk management framework. In addition to the requirements prescribed per this standard organizations need to account for performance and compliance risks. In order to address risks posed by software validation and verification organizations may refer to Good automated Manufacturing Practices (GAMP). Other risks to consider are the risks from outsourced processes and supplier risks.
Competence of personnel per clause 6.2 of ISO 13485 also poses the potential or risk and organizations must ensure they have the competent personnel needed for the work to be done. Human error owing incompetent personnel is a common cause of risk within an organization. Mistake proofing identified risk areas is an effective way of addressing risks within the system. High risks should be addressed to reduce them to an acceptable level. Risks may at times be addressed by accepting them, avoiding them and even sharing of the risks with another entity. The risk must be addressed using a planned approach and monitored for effectiveness. QMII’s ISO 13485 training provide students with the knowledge of how to identify, analyze, evaluate and address risks within the system.

Is your organization ready for MDSAP


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.

As your company prepares for this new audit scheme perhaps the easiest things to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are priorities that need to be addressed immediately.

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.

Make sure personnel are trained and understand well the expectations of them. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.

How is ISO 13485 different from ISO 9001


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

ISO 13485 released an updated version of the standard in 2016 but it broke ranks with ISO 9001. In the past the two standards were aligned with the ISO 13485 capturing the additional requirements for the medical device industry. An ISO 13485 overview would reveal that it has retained a lot of the documentation requirements and not left the standard as subjective as the revised ISO 9001:2015.
ISO 13485 provides the requirements for quality management systems for use by the medical device industry. While it still remains broadly based on the framework set by ISO 9001 compliance with the standard will not inherently mean compliance with ISO 9001. The standard is published by ISO, an international organization. It is assessed by certification bodies across the globe accredited by IAF.
ISO 13485 overview of the standard will show much more in-depth requirements for rick management. This essentially aligns with the US CGMP regulations as also regulations by international bodies. The standard for further assessing risk is ISO 14971 which specifically deals with risk within the medical device industry. In dues course the US CFRs will get aligned with ISO 13485 and plans are underway for the update.
As a part of risk management of the systems companies will now have to assess add address the risks from outsourced processes, Lack of competent personnel, lack of adequate number of personnel, loss of traceability, failure in testing of the products at relevant stages, Failure to timely address non-conformities, and the documentation of risk itself. Management need to keep an ISO 13485 overview of their system through the planned management reviews and periodic internal audits. To ensure audits add value these must be conducted by trained and competent personnel.
QMII’s ISO 13485 lead auditor training prepares your personnel to not only effectively audit the system but also implement it as needed. An ISO 13485 overview version of the course is also available for senior management, so they understand their roles and responsibilities with respect to the standard. Having discussed this the question often arises if ISO 13485 is mandatory. As with all other ISO standards it is not mandatory to implement ISO 13485 though it is mandatory to meet regulatory requirement such as CFRs and EU MDR. However, implement ISO 13485 provides confidence to customers that the organizations uses a process based approach to continual improvement.
ISO 13485 overview of the standard demonstrates that product quality cannot be guaranteed just from implementing the standard but that it must be vigorously used. The standard can also be applied to all sizes of organizations.