Top 10 Best Practices For Medical Device Audits

In the healthcare industry, making sure you meet quality and compliance standards is paramount, especially when it comes to medical devices. In the realm of audits, organizations aim to guarantee the safety and efficacy of their products. In this article, we dive into the top ten best practices when conducting medical device audits.

Why Do Medical Device Audits Matter?

The safety of medical devices is a matter of life-and death and is the heart of the internal audit program. It is essential that regulators, patients, and healthcare professionals trust the integrity of your organization.

Adhering to the best practices below instills a sense of trust that the right things are being done to prioritize the health and safety of your customers, who purchase the products, on behalf of both patients and caregivers.

Best Medical Device Audit Practices

Medical device audits serve as the guardian of quality, safety, and regulatory compliance. It’s true, as it always was, that the assurance that medical devices not only meet, but surpass regulatory standards is not merely a requisite, but a commitment to the well-being of patients globally. Let’s take a look at some of the top best practices for not only fulfilling regulatory requirements, but also establishing new benchmarks for the future of medical device quality assurance.

Publish Annual Audit Schedule

An audit schedule is a tool to view the audits in your organization in totality, and to compare the content of previous years’ audits to the current year.  The audit schedule can contain numerous categories such as type of audit (example: systems audits, supplier audits, materials audits, and quality assurance audits) the expected auditor(s) the quality subsystems audited and expected audit dates. This tool ensures that the audit program is sufficiently thorough and can minimize gaps in the program.

Stick To The Audit Schedule

In the quality field, as in any field, trustworthiness is assessed by demonstrating that an organization keeps it commitments. An outside inspector is more apt to believe that an organization keeps its other commitments if they can see an organization’s commitment to perform internal audits on time. 

It is understandable, just in any other quality system scenario, that changes to the audit schedule may occur, but just with any other documentation, the record of the change, and its rationale, should be documented.

For example, if problems with a specific supplier have revealed the need to prioritize a customer audit over a general audit of the Receiving process, this should be documented to demonstrate that the change in audit schedule was based on a quality need, and not based on an organization’s inability to keep its commitments.

Cover QSIT (Quality System Inspection Technique) Subsystems Annually

Even as an audit schedule changes periodically, the regulations that govern medical devices remain the same, and the core quality systems that form a cohesive quality management system are a basic requirement.

It may be acceptable to prioritize when to audit a specific process or product, the seven essential quality management subsystems (Management Controls, Corrective/Preventive Action, Design Controls, Production and Process Controls, Material Controls, Facility/Equipment Controls, and Medical Device Reporting) should undergo annual audits.

Review The SOPs

Many an organization has passed all internal audits but failed to implement an effective quality management system because, even though the SOPs were followed as written, the procedures specified within were inadequate.

Audit scopes should be sufficiently broad to include both the SOP content, SOP effectiveness, and whether the SOP covers the intended result mandated by the regulations.  If internal auditors are overly entrenched in the way a company implements policies and procedures, they may not be able to see the deficiencies in the QMS for what they are. 

Train Your Auditors

Auditor training is essential.  On a basic level auditors should understand the Best Practices outlined in this article.  On a personal level, auditors should be able to interview auditees, show professionalism, ask open-ended questions, and display empathy with the auditee. 

On a professional level, auditors should be able to interpret documentation, have a working knowledge of the quality system requirements, use logic to formulate conclusions and have strong writing skills to create a comprehensive audit report. 

Training also includes adherence to company-established training requirements mandated by the organization to qualify auditors for work, which may include reading of SOPs, on-the-job training, participation of audits under the direction of a Lead Auditor, taking of qualification exams that cover both auditor requirements as well as demonstrating understanding of GMP requirements.

An array of outside training programs can supplement internal auditor training if necessary, including certifications by noted authorities, and seminars.

Ensure Auditors Are Unbiased

In numerous guidelines, a stated requirement is that “Auditors shall not audit their own work.”  This is only the most basic of requirements.  Individuals who regularly cross-check each other’s work may still have biases for or against a certain individual’s work.

Beyond the basic requirement is a far more difficult task to show that a particular auditor has completed a fully unbiased examination of the systems being audited. But at the bare minimum, auditors cross-checking themselves is the most evident conflict-of-interest.

That being said, the auditor should have some working knowledge of the quality subsystem under examination, which is why auditor training is essential.  The proper balance between training and objectivity will result in the most effective review of quality compliance.  It is advisable to occasionally use outside, trained auditors, such as those provided through Compliance Team, to inject a sense of objectivity that is internally unavailable.

Publish An Audit Log

The best way to show evidence that the organization adheres to the audit schedule is to publish an audit log.  The log would ideally align with the audit schedule and show the auditor name(s) the audit date(s) the audit result and the date that corrective action(s) were verified as completed.

Additional entries would include the person who entered the information in the log and his/her signature and date.  The log would then be reviewed and signed by the area Executive with Management Authority.  The audit log would be the information shown to inspectors as evidence of an established internal auditing program.

Keep Audit Results Confidential

In other words, do not show the audit reports to outside inspectors.  The only exception is if a specific supplier agreement has clauses that mandate information-sharing.  The Audit Log is the evidence, and the signature of the Executive with Management Authority is the top-management signature needed by the FDA as the necessary documentation to establish that an audit program is indeed implemented at the organization.

Not only should the log be the only documentation shown to outsiders (with noted exceptions) but this confidentiality requirement must be formalized in an SOP or policy covering the methods for documenting audit results.

If this requirement is not formally documented, then it will be permissible to disclose the audit results and the outside organization may be able to force your organization to disclose against your best judgement.  Be ready to cite the SOP requirement that prevents disclosure to outsiders.

Link Audits To Management Review

Confidentiality has its limits, and it is absolutely essential that top management be aware of any and all audit findings.  This is one reason Management with Executive Responsibility signs the audit log.  Another reason is that it is Management’s responsibility to ensure that the Quality Management System continues to sustain a state of compliance within the organization.  The Audit Results must be a topic covered in Management Reviews, which should be conducted on a regular basis, which would be no less frequent than annually, but at an optimal frequency for Management to be informed and able to intervene if the state of quality starts to veer out-of-control.

Like audit results, Management Review results are confidential, and a Management Review Log, signed by the Executive with Management Authority, provides evidence to outsiders that the Management Review has covered all mandated topics, including Quality Audit Results.

Leverage Your CAPA System

The absolute worst thing to happen when an outside inspector visits your organization is for the outsider to identify a quality gap that went unidentified by your own internal auditors. Many times, the gap was already identified internally, but because audit results are confidential, the outside auditor has no evidence that the item was identified internally, and the gap is under correction.

This is why it is essential to minimally document each audit finding as a Nonconformity (some organizations use alternative terms such as “Event, “ or “Deviation”) in the CAPA system for resolution, and consideration for CAPA. In this way, your organization demonstrates that its internal audit process is operational, and that the organization is actively pursuing the necessary corrections to become a more effective establishment.

It is not enough to simply log the Nonconformity.  The evidence within the record must show the progress undertaking to investigate the root cause(s), the date(s) actions were taken, and the progress toward showing whether the actions taken to resolve the issue (including evaluation to potentially escalate to CAPA) were effective.

By having a complete record for the nonconformities revealed via internal audit, the organization demonstrates that the internal audit process effectively self-identifies and corrects audit deficiencies, fostering a sense of trust.

What Are Some Best Audit Practices You Follow?

For over 20 years, Compliance Team has helped medical device manufacturers save time by allowing us to manage their internal audit programs. Our clients benefit from monthly, quality subsystem reviews. This allows internal staff to focus on their day-to-day activities while Compliance Team identifies and remediates audit observations throughout the year.

We keep the quality system up to date without the need for a rushed, internal audit and CAPA documentation during the last months of the year. With our continuous CAPA monitoring and monthly audits, our clients know how their quality system is performing to FDA regulations in real time.