Devine Guidance

Regardless of QMS Structure, Internal Audits are Mandatory

By Dr. Christopher Joseph Devine

Not all auditing firms or auditors are created equal; in fact, there is “The Good, The Bad, and The Ugly” when it comes to auditors. 

Listen up people, the doctor is growing tired of writing non-conformances for organizations failing to establish a program and procedure for internal audits and actually performing audits. Yes, actually performing audits. Audits are good things and when performed properly, and help organizations ensure their QMS remains in compliance with all of those annoying little thing like regulations and standards. 
Not too long ago, in the distant past, in a land not so far away, Dr. D was visiting one of my client’s suppliers for the purpose of performing a supplier audit against the requirements delineated within ISO 13485:2003. Now keep in mind the doctor is an old guy so it really takes something outrageous to see the doctor’s jaw hit the floor and keep from laughing hysterically. This supplier’s quality guru, and I use the term guru loosely, shared their internal audit schedule that eloquently planned for audits to be performed over a two-year period. Unfortunately, audits were not being performed. When the doctor inquired as to why no audits were being performed, the response was a resounding, “We don’t have to perform audits we just need to plan for them.” Wow (Dr. D still smile when he thinks about this audit)! The quality guru was still arguing when asked to sign the non-conformance form. Needless to say, this auditee treated Dr. D as “algid” (look-it-up) as ice during the remainder of the audit debrief. Excuse the doctor, my bad for enforcing compliance. That being said, this week’s guidance is all about the importance of internal quality audits.
The requirement
Regardless of the regulatory requirement or standard being driven by: 21 CFR, Part 820.22 (Quality Audit); Ministerial Ordinance 169 – Article56 (Internal Audit); or ISO 13485:2003, Clause 8.2.2 (Internal Audit), device manufacturers must perform internal audits or outsource the internal audit process to a qualified firm or individual, like Dr. D and Devine Guidance International. Failure to perform internal audits or take appropriate action when issues with the QMS are noted; will result in a Form 483 observation from the FDA and a potential major non-conformance from a device manufacturer’s notified body. Just an FYI – these are bad things. 
On another note, performing audits late will also get device manufacturers in hot water with Agency, their notified bodies, and other regulatory bodies scattered around the globe. You see, since we are not talking about toys here, but medical devices, the expectation is that medical device manufacturers have the appropriate infrastructure in place to successfully manage the QMS. If audits are not being performed on time, then there just might be a resource issue. Can you say another Form 483 observation or audit nonconformance due to lack of resources or effective management oversight? 
Program construction
An effective internal audit program can be eloquent in its simplicity, so start simple with a written procedure. Since §820.22 does not provide a lot of granularity in regards to an internal audit program, the doctor recommends following ISO 13485 for guidance in regards to content. As a minimum, an internal audit program and/or procedure should contain the following tidbits of information (as appropriate).
  • The device manufacturer must publish an audit schedule that reflects audits at planned intervals (yes, it is acceptable to perform all of the audits at once; however, the practice is not extremely effective).
  • The internal audits should be driven by importance and results of previous audits (if previous audits uncover weaknesses in the QMS, the frequency of audits in the problem area should probably be increased).
  • Make sure the auditor requirements are built into the procedure, i.e., certified quality auditor or specific training requirements (recommend reviewing ISO 19011).
  • The audit procedure should contain a requirement for an opening meeting (as needed).
  • The audit procedure should contain a requirement for a closing meeting (as needed).
  • The audit procedure should contain a requirement for documenting the results of internal audits, including record retention.
  • As part of the documentation process it is imperative that the area(s) audited, personnel interviewed, processes reviewed, and procedures reviewed be documented. 
  • The audit procedure should address the process of pursing corrective action to correct audit deficiencies.
  • The audit procedure should contain a clause for performing additional audits, when the results of an audit are unsatisfactory.
  • Finally, the results of audits need to find their way into management review, including actions taken to address QMS performance issues.
NOTE: Device manufacturers are not required to share the result of internal audits with FDA. They only have to provide evidence that they have been performed.
Folks the doctor understands audits are time consuming, that is why organizations such as Devine Guidance International come into being. If you do not have the trained resources to perform internal audits, then by all means outsource the process. However, buyers please beware; not all auditing firms or auditors are created equal. In fact, there is; “The Good, The Bad, and The Ugly when it comes to auditors (sounds like a Clint Eastwood movie). Regardless of the approach to performing internal quality audits, you have to complete them and complete them on time.

In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success. 

  1. Code of Federal Regulation. (2012, April). Title 21 Part 820: Quality system regulation. Washington, D.C.: U. S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. ISO 13485:2003. (2004, February). Medical devices – quality management systems – requirements for regulatory purposes (EN ISO 13485:2012).
  4. Ministerial Ordinance 169. (2004). MHLW ministerial ordinance 169 on standards for manufacturing control and quality control for medical devices and in-vitro diagnostic reagents. Retrieved June 1, 2012, from

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International