ISO 13485:2016 Audit Readiness: Your Questions Answered

ISO 13485:2016 Audit Readiness: Your Questions Answered

Kari Miller, Regulatory & Product Management Leader, Pilgrim Quality Solutions
Cynthia Lambert, Regulatory Specialist, Pilgrim Quality Solutions

Last week, Pilgrim hosted a webinar titled “The Ultimate Guide to ISO 13485:2016 Assessment Readiness.” During the session, we presented comprehensive tips, best practices, and solutions to ensure that your team is prepared and confident when the assessor arrives. If you weren’t able to attend the live webinar, you can access the on-demand version here.

ISO 13485:2016 is a critical topic for medical device manufacturers, and we were delighted to address many questions on assessment readiness at the end of the presentation. Here are 5 interesting questions (with answers) from the webinar’s Q&A session that will help you better prepare for your assessment.

Question 1: Is “critical” supplier defined internally, or is there specific criteria that the assessor will use to determine who is “critical”?

It’s essential that you and your team create a supplier management program, and that within that program one of the main tasks is to determine your critical suppliers by creating a rating system based on the products you’re delivering. Due to the fact that you’re working with many suppliers, a quick but effective ranking system provides an efficient mechanism for understanding what areas of the business are critical, and what compounds, tools, and other materials are necessary for manufacturing your product. This is important because you will be able to determine which of your critical suppliers will necessitate an in-person audit.

Suppliers that provide you with critical components, and especially critical components where you are single sourcing, should hold your greatest focus. Each of your suppliers will be judged through various vehicles such as surveys and desktop audits. In addition, you will probably have quality agreements with most, if not all of your suppliers. Having a ranking system allows you to administer desktop audits for those suppliers that are rated low-to-medium and are not your single source of supply. This enables you to focus on your critical suppliers. Also, when critical suppliers receive supplier corrective action reports (SCARs) from your organization, you can focus on working with specific vendors to determine root cause and to develop an action plan to correct the problem.

Question 2: How critical is it to do an actual onsite audit for a critical supplier, and how is it viewed by the assessor if you decide not to go that route as an organization?

It is absolutely essential to perform an onsite audit for critical suppliers. If you choose not to, the assessor will realize that you do not understand your critical suppliers fully because you have not inspected (through audits) their quality systems.

Question 3: Should Supplier SCARs be kept separate from the main CAPA process?

Supplier Corrective Action Requests (SCARs) can – and should – be integrated into the main CAPA process. However, we often see SCARs and CAPAs deployed as separate workflows, especially in document-based or manual Quality Management Systems.

When thinking about an automated system, it’s important to look for a solution that is not only integrated, but also allows for a single CAPA process with rules-based processing depending on CAPA type (i.e. internal vs supplier). This is important for two reasons:

  1. A CAPA for a process or engineering issue, through root cause analysis, may determine that a supplier part was either all or part of the root cause. By having the SCARs and CAPA in the same system, you can link the SCAR to the originating CAPA, and your supplier auditors and CAPA specialists can work together to solve the problem in a comprehensive and expedient manner.
  2. When you use a single CAPA process that allows for the processing of both internal and external CAPAs (i.e. Supplier, Customer), you can then get a view of all CAPAs within your organization regardless of where they originated.

When looking at next-generation CAPA, look for a solution that not only allows for this single source of CAPA, but make sure that it has a properly structured database so CAPA trends and analytics can be aggregated or disaggregated at all levels. This includes the global organization, internal, external, by supplier, or by product, to name a few examples. The key is to have a single source of CAPA truth that can be examined and measured from all views.

Question 4: Do we need a risk-based approach for all QMS processes or only a selection? What are the best techniques to perform and document this selection?

Risk should be built into all that we do from a Quality perspective; in fact it should be an embedded component of all of our QMS processes and it should be assessed at all phases of the product lifecycle. Most recent regulatory and standards updates explicitly call out risk-based thinking. One example of this is ISO. Whether it’s 13485:2016, 9001:2015, or both, each call for organizations to manage risks that can affect the output of processes (safety and performance of the product), and overall outcomes of the quality management system. Additionally, these processes could include outsourced processes.

This really does cover all quality processes. However, the rigor or the risk tools/methodology used will vary based on the process. The risk assessment used during a CAPA investigation will be much more stringent than the risk assessment used when submitting a request for a document update. Some processes will require a simple calculation of the Risk Priority Number (RPN), while others may use a Heat Map in addition to calculation of the RPN.

The benefits of incorporating risk into all QMS processes are: improved process performance, the ability to anticipate and avoid potential issues, improved product safety and efficacy, and improved patient results.

Question 5: Some of our CAPAs are open because the long-term corrective action is taking time and Engineering Change Orders have not been approved as yet. Will this cause any problem in the audit?

When you have open CAPAs prior to an assessment, the first and most important task you must do is analyze the lifecycle of that CAPA. You may find that the CAPA is being continuously worked on by a multi-functional team, and the solution is something that’s going to take a longer timeframe to complete, verify, and check for effectiveness. As long as the daily, weekly and monthly milestones are worked and rationales provided where areas are not complete, you should have no difficulty during your assessment.

However, in those cases where you have an open CAPA, which for anywhere from a month to several years, has had no interaction with your teams assigned to work the problem, the assessor will likely note this as a finding.

The key takeaway is that you need to understand all of the CAPAs and SCARs in your CAPA program so that you can answer the assessor with clarity.

Additional Resources to Assist with Your ISO 13485:2016 Transition Process

This presentation and Q&A session was the fourth in a four-part series on ISO 13485:2016 gap analysis, solutions and assessment readiness. Pilgrim has a number of additional resources to assist with your ISO 13485:2016 transition planning.

On-Demand Webinars:


Blog Posts

We hope these resources will make your transition to ISO 13485:2016 more efficient and successful. Finally, if you’d like to learn how Pilgrim SmartSolve® can help you better prepare for this transition, contact us directly to learn more.


ISO 13485:2016 Audit Readiness

On-demand Webinar

Get a handle on team training needs, auditee etiquette, and the quality system data you should have on hand to be audit-ready.

ISO 13485:2016 Audit Readiness


Pilgrim Quality Solutions

Pilgrim pioneered quality management software more than 25 years ago for regulated enterprises that needed a better way to deliver, track and oversee quality-related activities.

No Comments

Leave a Comment

Your email address will not be published. Please fill out all required fields.

This site uses Akismet to reduce spam. Learn how your comment data is processed.