ISO 9001 Standard / ISO 9001 Standards – ISO 9000 Standard / ISO 9000 Standards Certification & Implementation

1. PURPOSE
The purpose of this procedure is to define the steps that <company> follows in planning, performing, reporting, recording, and following up on internal audits.
<Company> conducts internal audits to determine whether the quality management system:
- Conforms to planned arrangements, to the requirements of ISO 9001 and to the quality management system requirements established by <Company> (QMS Manual policies, procedures, work instructions, and forms)
- Is effectively implemented and maintained.

2. SCOPE
This procedure applies to all company personnel who are responsible for planning, development, use, and maintenance of the quality management system.

3. DEFINITIONS
None

4. REFERENCES
4.1 Quality Manual,
5. ASSOCIATED DOCUMENTS
5.1 Audit Check List,
5.2 ERC/ERO Procedure,
5.4 Audit Schedule,
5.3 Audit Notebook

6. PROCEDURE
NOTE 1: This procedure is typically initiated about four weeks prior to the execution of an internal audit as called for by <Company>’s audit schedule. The audit schedule is established and maintained by The Quality Assurance Manager.
NOTE 2: Every element in the quality system is audited on a regular basis and at minimum of once per year. Activities are audited more frequently if there are significant changes taking place (i.e., many new hires/high turnover of personnel, modified procedures and work instructions, etc.) or if there is a history of problems in that area.
NOTE 3: Only qualified personnel may perform internal auditing activities. These qualified personnel are classified as internal auditors and have received the following training as a minimum: 1 day training on internal auditing techniques, 1 day training on the ISO 9001 Standard, this training may be performed by previously trained internal auditors.

6.1 AUDIT PLANNING, COORDINATION, AND PREPARATION
6.1.1 The Quality Assurance Manager defines the specific criteria, scope, methods, and objectives for the upcoming internal audit based on the status, maturity, and importance of specific elements in <Company>’s quality system.
Audits shall be carried out to a defined scope and shall be as follows,
a) Planned: as per the internal audit plan
b) Unplanned: arising as a result of,
- Customer complaints
- Following the implementation of actions defined in a corrective action report
- Following the identification of additional or amended procedures for products
NOTE 4: In planning the particular audit, these activities include determining the extent and boundaries of the audit (locations, activities, processes); set of policies, procedures and/or requirements to be audited against; auditing methods; and audit objectives.
6.1.2 The Quality Assurance Manager selects the appropriate auditor to ensure objectivity and impartiality of the audit process.
6.1.3 The Quality Assurance Manager and the auditor review the proposed audit program to ensure that it is consistent with and effective for the defined audit criteria, scope, methods, and objectives.
6.1.4 Prior to the audit date, auditor reviews the appropriate quality system documentation, records of completed corrective and preventive actions, and past audit findings for the activities to be audited, and then develops a checklist covering the quality system elements and activities to be audited.

6.2 INTERNAL QUALITY AUDIT INVESTIGATION

6.2.1 The auditor will contact the personnel in the area being audited at the time indicated on the audit program, and briefly review the audit criteria, scope, methods and objectives with them.
NOTE 5: The checklists only serve as a guide to the auditors, and other areas may be investigated as deemed necessary by the auditors or as requested by the auditee.
6.2.2 When a nonconformance is identified, the auditor presents the nature of the nonconformity and the evidence to the personnel involved for verification, clarification, and addresses any questions or concerns that the personnel may have, as well as to give advice, when requested, regarding any problems which are uncovered.
6.2.3 If the nonconformance is confirmed, then go to step 6.2.5.
6.2.4 If the possible nonconformance requires further clarification the auditor will discuss the situation with the Quality Assurance Manager.
6.2.5 After the facts of the nonconformity are verified (or modified), the auditor either drafts nonconformance statement or documents the necessary information for writing one later.
NOTE 6: The nonconformance statement includes the nature of the nonconformity, the actual evidence obtained, and the nature of the requirement that is not being complied with (i.e., the appropriate ISO 9001 clause number, the appropriate quality system document section/page/paragraph, what the personnel says is the normal practice, contract requirements, statutory regulations, current standards, and any other relevant requirements).

6.3 REPORTING AND FOLLOW-UP
6.3.1 Within 2 weeks of completing the internal audit program, the auditor prepares a brief internal audit report and submits it to The Quality Assurance Manager for review and approval.
NOTE 7: The audit report includes the audit’s criteria, scope, methods and objectives, the names and titles of the audit team members, a summary of general observations (i.e., general degree of compliance and any significant problems encountered), all statements of nonconformities, weaknesses, and/or opportunities for improvement, and verification results for follow-up activities performed during the audit.
6.3.2 The Quality Assurance Manager reviews and approves the internal audit report, and then distributes copies of the report to senior management and the personnel of the audited areas that were directly involved in the audit.
NOTE 8: Any additional comments or observations of the Quality Assurance Manager can be attached to the report, but the auditor’s observations be will not be deleted or modified by The Quality Assurance Manager.
6.3.3 The Quality Assurance Manager request a Engineering Change Request for any nonconformity listed in the Internal Audit Report and for any weaknesses and “opportunities for improvement” identified and documented.
6.3.4 The Quality Assurance Manager updates and maintains the long-range audit schedule based upon the documented results of the audit and the planned corrective and preventive actions.
6.3.5 The Quality Manager shall maintain an audit notebook detailing all internal and external audits carried out.
- Long-range audit schedule
- Internal audit program
- Completed checklists- signed and dated by each auditor
- Audit report

7. REVIEW PROCEDURE
Any suggested improvements or modifications to this procedure are to be passed on to the Quality Assurance Manager for discussion at the next Quality Review Committee meeting.

What Should Be Documented In Quality Management System?

Clause 4.2.1 in ISO 9000 Standards requires quality management system documentation to include 5 types
of document:
(a) Quality policy and objectives
(b) Quality manual
(c) Documented procedures
(d) Documents needed to ensure the effective planning, operation and control of processes
(e) Records
Other than the requirements in clause 4 for documentation, there are 14 other references requiring documentation. These are as follows:
(a) The output of the planning
(b) The quality manual
(c) A documented procedure for document control
(d) A documented procedure for the identification, storage, retrieval, protection, retention time and disposition of records.
(e) Planning of the realization processes
(f) Inputs relating to product requirements
(g) The outputs of the design and development process
(h) Design and development changes
(i) The results of the review of changes and subsequent follow up actions
(j) A documented procedure for conducting audits that includes the responsibilities and requirements
(k) Evidence of conformity with the acceptance criteria characteristics of the product
(l) A documented procedure for nonconformity control activities
(m)A documented procedure for corrective action
(n) A documented procedure for preventive action
This list is somewhat inadequate for documentation purposes because it does not tell us what types of things we should document or provide criteria to enable us to decide what we need to document. ISO 9000 clause 2.7.2 includes a more useful list of document types that are classified as follows:
(a) Quality manuals
(b) Quality plans
(c) Specifications
(d) Guidelines
(e) Procedures, work instructions and drawings
(f) Records

Process Based Auditing Of Quality Management System

Any effective quality management system (including the subsystems) works as a control process, which has the ability to detect deviations and nonconforming products and assures that the corrective and preventive action measures are effective. The regulatory auditor should check that all subsystems and processes of the quality management system are structured as self-regulating control processes. For example Deming’s PDCA cycle demonstrates such a process with the following components:

i) Plan – Has the manufacturer established the objectives and processes to enable the quality system to deliver the results in accordance with the regulatory requirements?

ii) Do – Has the manufacturer implemented the quality system and the processes?

iii) Check – Has the manufacturer checked process monitoring and measurement results against the objectives and the regulatory requirements? Does the manufacturer evaluate the effectiveness of the quality system periodically through internal audits and management reviews?

iv) Act – Has the manufacturer implemented effective corrective and preventive actions? Confirm that the company is committed to providing high quality safe and effective medical devices, and that the company is conforming with applicable laws and regulations. These are generic questions that can be asked throughout the audit.

Sampling

In general there are two ways of sampling records for review which are useful in regulatory audits risk based and statistical. Where possible, auditors should select samples based on factors which are most likely to affect the safety of the patient. In this situation sampling tables are not necessary. The auditor may however decide to select a statistically valid sample. A sample can also be drawn using a combination of risk based and statistical sampling.

Audit Planning

i) Further to the requirements given in the chapter 11 of GHTF Guidelines for Regulatory Auditing of Quality Systems of Medical Device Manufacturers – Part 1:

General Requirements (SG4/N28R2), some more consideration should be given to the following points: Information from the Manufacturer Estimation of audit duration, frequency and targeted on-site auditing time Further points to consider are given in chapter 6. Information required from the manufacturer

ii) In the planning phase, the following information should be requested from the manufacturer to estimate the audit duration and to prepare the audit plan for Regulatory Auditing of Quality Systems of Medical Device: manufacturer’s name, address contact name, telephone, fax numbers and e-mail addresses ? total number of employees (all shifts) covered by the scope of the audit ? range and class of medical devices being manufactured types of devices? sold and/or planned to be sold in the countries and/or regions for which the regulatory requirements will be assessed, including a complete list of authorizations (e.g. licenses) issued for those devices (where applicable) location and function of each site to be included in the audit a list of activities on each site the involvement of any? special manufacturing processes, e.g. software, sterilization, etc. a list of the activities performed by subcontractors and their locations, including the type of control that is exercised over those outsourced operations any existing audit results from other auditing organizations e.g. from USA, Australia, Europe, Canada, Japan. do they install or service the medical devices produced changes since the last audit, if applicable.

ii) Audit frequency The audit frequency is dependent on the factors mentioned in Appendix 3, the regulatory requirements and history of the Manufacturer.

iv) Audit duration The audit duration has a significant effect on both regulatory agencies and industry. It is dependent on factors such as the audit scope and specific regulatory requirements to be assessed, as well on the range, class and complexity of devices, and the size and complexity of the manufacturer. If not specifically mentioned, the considerations in this section are applicable to initial, and surveillance audits.

v) Relation between audit frequency and audit duration Audit duration depends on the audit frequency. In the following an annual audit frequency is the baseline as reference in IAF Guidance on the Application of ISO/IEC Guide 62. For more or less frequent audits, audit duration should be adapted accordingly. vi) Method of estimating audit duration When auditing organizations are planning regulatory audits, sufficient time should be allowed for the audit team to establish the conformity status of a medical device manufacturer’s quality system with respect to the relevant regulatory requirements. Any additional time required to assess national or regional regulatory requirements must be justified.

Implementation of ISO 9000 affects the entire organization right from the start. If
pursued with total dedication, it results in ‘cultural transition’ to an atmosphere of
continuous improvement.
The process of implementing ISO 9000 depends on:
???? a. The sophistication of your existing quality program,
???? b. The size of your organization, and
???? c. The complexity of your process.

The 14 essential steps, briefly described below, are to be followed through in order to
implement ISO 9000 quality management system successfully.
Step 1: Top management commitment
Step 2: Establish implementation team
Step 3. Start ISO 9000 awareness programs
Step 4: Provide Training
Step 5. Conduct initial status survey
Step 6: Create a documented implementation plan
Step 7. Develop quality management system documentation
Step 8: Document control
Step 9. Implementation
Step 10. Internal quality audit
Step 11. Management review
Step 12. Pre-assessment audit
Step 13. Certification and registration
Step 14: Continual Improvement

Quality Management System Requirements
The ISO 9001:2008 standard is meant to be generic and applicable to all kinds of organizations. Therefore, organizations from both the public and private sectors, including non-governmental organizations can benefit from the ISO 9001 quality management system model, regardless of whether they are small, medium or large organizations. The immediate benefit that can be realized from the implementation of ISO 9001 is the collective alignment of the activities of internal processes that are focused towards the enhancement of customer satisfaction which will result in many other benefits, whether internal or external. The magnitude of these benefits are determined by how effective the processes are in achieving its objectives.

What Should Be Documented In Quality Management System?

Clause 4.2.1 in ISO 9000 Standards requires quality management system documentation to include 5 types
of document:
(a) Quality policy and objectives
(b) Quality manual
(c) Documented procedures
(d) Documents needed to ensure the effective planning, operation and control of processes
(e) Records
Other than the requirements in clause 4 for documentation, there are 14 other references requiring documentation. These are as follows:
(a) The output of the planning
(b) The quality manual
(c) A documented procedure for document control
(d) A documented procedure for the identification, storage, retrieval, protection, retention time and disposition of records.
(e) Planning of the realization processes
(f) Inputs relating to product requirements
(g) The outputs of the design and development process
(h) Design and development changes
(i) The results of the review of changes and subsequent follow up actions
(j) A documented procedure for conducting audits that includes the responsibilities and requirements
(k) Evidence of conformity with the acceptance criteria characteristics of the product
(l) A documented procedure for nonconformity control activities
(m)A documented procedure for corrective action
(n) A documented procedure for preventive action
This list is somewhat inadequate for documentation purposes because it does not tell us what types of things we should document or provide criteria to enable us to decide what we need to document. ISO 9000 clause 2.7.2 includes a more useful list of document types that are classified as follows:
(a) Quality manuals
(b) Quality plans
(c) Specifications
(d) Guidelines
(e) Procedures, work instructions and drawings
(f) Records
This list is similar to that in clause 4.2.1 with some notable differences. The
policy and objective could form part of the quality manual and the quality plans, work instructions, guidelines, drawings and specifications could be the documents needed to ensure the effective planning, operation and control of processes.
Obviously the size, type and complexity of the organization and the competency of personnel will have an effect on the depth and breadth of the
documentation but the subject matter other than that which is product, process or customer specific is not dependent on size, type and complexity of the organization etc. There is no single method that will reveal all the things that should be documented but there are several approaches that can be used to reveal the documentation necessary.

Documenting A Quality Management System

The ISO 9000 Standards requires the organization to document a quality management system in accordance with the requirements of ISO 9001. A document (according to ISO 9000 clause 2.7.1) is information and its supporting medium. A page of printed information, a CD ROM or a computer file is a document, implying that recorded information is a document and verbal information is not a document.
Clause 4.2 requires the management system documentation to include certain types of documents and therefore does not limit the management system documentation to the types of documents listed.
As a management system is the means to achieve the organization’s objectives, and a system is a set of interrelated processes, it follows that what has to be documented are all the processes that constitute the system.
While there is a reduction in emphasis on documentation in ISO 9001:2008 compared with the 1994 version, it does not imply that organizations will need less documentation to define their management system. What it does mean is that the organization is left to decide the documentation necessary for effective operation and control of its processes. If the absence of specific documentation does not adversely affect operation and control of processes, such documentation is unnecessary.
Before ISO 9000 came along, organizations prospered without masses of
documentation and many still do. Those that have chosen not to pursue the
ISO 9000 path often only generate and maintain documents that have a useful purpose and will not produce documents just for auditors unless there is a legal requirement. Most of the documentation that is required in ISO 9000 came about from hindsight – the traditional unscientific way organizations learn and how management systems evolve.
ISO 9000 contains a list of valid reasons for why documents are necessary as below:
- To communicate requirements, intentions, instructions, methods and  results effectively
- To convert solved problems into recorded knowledge so as to avoid having
to solve them repeatedly
- To provide freedom for management and staff to maximize their contribution to the business
- To free the business from reliance on particular individuals for its effectiveness
-  To provide legitimacy and authority for the actions and decisions needed
-  To make responsibility clear and to create the conditions for self-control
-  To provide co-ordination for inter-departmental action
-  To provide consistency and predictability in carrying out repetitive tasks
-  To provide training and reference material for new and existing staff
-  To provide evidence to those concerned of your intentions and your actions
- To provide a basis for studying existing work practices and identifying
opportunities for improvement
- To demonstrate after an incident the precautions which were taken or which should have been taken to prevent it or minimize its occurrence
If only one of these reasons make sense in a particular situation, the
information should be documented. In some organizations, they take the
view that it is important to nurture freedom, creativity and initiative and
therefore feel that documenting procedures is counterproductive. Their view is that documented procedures hold back improvement, forcing staff to follow routines without thinking and prevent innovation. While it is true that blindly enforcing procedures that reflect out-of-date practices coupled with bureaucratic change mechanisms is counter productive, it is equally shortsighted to ignore past experience, ignore decisions based on valid evidence and encourage staff to reinvent what were perfectly acceptable methods.
Question by all means, encourage staff to challenge decisions of the past, but
encourage them to put forward a case for change. That way it will cause
them to study the old methods, select the good bits and modify the parts that are no longer appropriate. It is often said that there is nothing new under the sun – just new ways of packaging the same message.

How Quality Management System is implemented?

The terms ‘establish’, ‘document’, ‘implement’, ‘maintain’ and ‘improve’ are used in the ISO 9000 Standard as though this is a sequence of activities when in reality, in order to establish a system it has to be put in place and putting a system in place requires two separate actions:
- Design the Quality Management System using a process that transforms the system requirements into specific characteristics that results in a clear definition of all the processes that meet the system requirements.
- Construct the system using a process that documents, installs, commissions and integrates the processes to deliver the required business outputs.
The way in which these phases of quality system development are related is
illustrated in the management system process model shown in Figure 4.1. This diagram has some important features. Note that the design input to the system comprises internal and external requirements. On the right side there are four improvement routes:
- Improvements in conformity during operation of the system arise through
enforcing policy and practices – doing what you say you do
- Improvements in conformity during system construction arise through
enforcing policy and design rules on the system – reworking the system to
comply with the established policies and objectives
- Improvements in efficiency during system construction arise through
finding better ways of implementing the system design – shorter, less
wasteful routines, less complexity, lower skill levels, fewer resources
- Improvements in effectiveness arise as a result of identifying different
policies and objectives – higher targets, new objectives, new requirements,
regulations, and new technologies.
As indicated above, establishing a system means designing and constructing it, which can be referred to as system development. System design is dealt with under Identifying processes. Constructing the system covers documentation, resourcing, installation, commissioning, qualification and integration.

Develop Quality Management System Documentation In ISO 9000 Standards
Documentation is the most common area of non-conformance among organizations wishing to implement ISO 9000 quality management systems. As one company pointed out: “When we started our implementation, we found that documentation was inadequate. Even absent, in some areas. Take calibration. Obviously it’s necessary, and obviously we do it, but it wasn’t being documented. Another area was inspection and testing. We inspect and test practically every item that leaves here, but our documentation was inadequate”.
Documentation of the quality management system should include:
1. Documented statements of a quality policy and quality objectives,
2. A quality manual,
3. Documented procedures and records required by the standard ISO 9001:2008, and
4. Documents needed by the organization to ensure the effective planning, operation and control of its processes.

Quality documentation is generally prepared in the three levels indicated below that follows. Use ISO 10013:1995 for guidance in quality documentation.

Level A: Quality manual
States the scope of the quality management system, including exclusions and details of their justification; and describes the processes of the quality management system and their interaction. Generally gives an organization profile; presents the organizational relationships and responsibilities of persons whose work affects quality and outlines the main procedures. It may also describe organization’s quality policy and quality objectives.

Level B: Quality management system procedures
Describes the activities of individual departments, how quality is controlled in each department and the checks that are carried out.

Level C: Quality documents (forms, reports, work instructions, etc.)
1. Work instructions describe in detail how specific tasks are performed; include drawing standards, methods of tests, customer’s specifications, etc.
2. Presents forms to be used for recording observations, etc.