Project: MQMS_ISO 13485 Implementation

Activity: Internal Audit Awareness

Task: Internal Audit Approach & Plan
INTERNAL AUDIT AWARENESS
A.Where we stand?
B.ISO Basics
C.Standards?
D.ISO 9001
E. ISO 19011
F. Internal Audit Approach
G.Suggestions
H.Way forward actions
Where we stand?
ISO Basics
ISO is an independent, non-governmental organization made up of members from the national standards bodies of 167
countries.

Central Secretariat in Geneva, Switzerland

It's all in the name

 International Organization for Standardization' would have different acronyms in different languages.
 IOS in English, OIN in French for Organisation internationale de normalisation.
 founders decided to give it the short form ISO
 ISO is derived from the Greek 'isos', meaning equal.
 Whatever the country, whatever the language, we are always ISO.

167 Members_ Only 1 member per country

810 Technical & sub-Committees_ Take care of stds developments

ISO’s origins Founded in 1946 by delegates from 25 countries,

ISO began operating on 23 February 1947
Standards?
technology
24609 Standards
Key principles in ISO standard
development
1. Respond to a need in the market
Management 2. Developed through a multi-stakeholder
process
3. Based on global expert opinion
4. Based on a consensus
manufacturing

ISO collaborates with over 700 international, regional and national organizations.

These organizations take part in the standards development process as well as sharing expertise and best practices.
 International Electrotechnical Commission 
 International Telecommunication Union
 In 2001, ISO, IEC and ITU formed_ World Standards Cooperation
 close relationship with the World Trade Organization
 works with United Nations (UN) partners
Examples
A. DRM
B. ISO 9001 Std
C. ISO 19011 Std
D. Learnings PPT
E. Standards List
F. PDCA
G. Process Based Approach (Clause 4)
H. Risk Based Thinking (Clause 4)
I. Internal Audit Checklist Proposal / Existing
J. ETO
ISO 9001:2015(E)
Quality management systems —Requirements
Fifth edition

1. Scope —“shall” indicates a requirement;

2. Normative references — “should” indicates a recommendation;
3. Terms and definitions — “may” indicates a permission;
4. Context of the organization — “can” indicates a possibility or a capability.
5. Leadership — Information marked as “NOTE” is for guidance
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Quality management system is a strategic decision for an organization
 improve its overall performance
 provide a sound basis for sustainable development initiatives.

potential benefits
a) the ability to consistently provide products and services that meet customer and
applicable
statutory and regulatory requirements;
b) facilitating opportunities to enhance customer satisfaction;
c) addressing risks and opportunities associated with its context and objectives;
d) the ability to demonstrate conformity to specified quality management system
requirements.

The quality management system requirements specified in this International Standard are
complementary to requirements for products and services.
 enables an organization to
process approach plan its processes and their interactions

PDCA cycle ensure that its processes are adequately resourced and
managed

opportunities for improvement are determined and acted on

Risk-based thinking determine the factors that could cause its processes and
its quality management system to deviate from the planned results
put in place preventive controls
• minimize negative effects
• make maximum use of opportunities as they arise

Challenge for organizations in Achieving Objectives adopt various forms of improvement

1 Consistently meeting requirements in addition to correction
and continual improvement
2 addressing future needs and expectations breakthrough change

3 dynamic and complex environment , innovation and re-organization

0.2 Quality management principles_ described in ISO 9000

The quality management principles are:

— customer focus;
— leadership;
— engagement of people;
— process approach;
— improvement;
— evidence-based decision making;
— relationship management.

0.3 Process approach

0.3.1 General

What adoption of a process approach

When Developing -> implementing -> improving the effectiveness of a quality
management system
Why to enhance customer satisfaction by meeting customer requirements
4 Context of the organization
4.1 Understanding the organization and its context
External and internal issues
- Relevant to org
- Determine
- Monitor and review

Issues
- Positive
- Negative

External Issues
- Legal
- Technological
- Competitive
- Market
- Cultural
- social and economic environments
- whether international, national, regional or local

Internal Issues
- Values
- Culture
- knowledge
- performance
4.2 Understanding the needs and expectations of interested parties
Interested Party_ effect or potential effect on the organization’s ability.

Determine
1. Relevant IP
2. Requirements
3. monitor and review

4.3 Determining the scope of the quality management system

Determine QMS
1. Boundaries
2. Applicability

Consider:
3. 4.1
4. 4.2
5. Products and services
Shall be available and be maintained as documented information
Justification_ Not applicable requirements
Conformity_ Not applicable does not affect the organization’s ability or responsibility
4.4 Quality management system and its processes
4.4.1

Establish, implement, maintain and continually improve a quality management system, including the processes
needed and their interactions, in accordance with the requirements of this International Standard.

Process Approach
4.4.2
Documented information
1. Maintain_ support the operation of its processes
2. Retain_ To have confidence that the processes are being carried out as planned.
5 Leadership
5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the
1. Quality management system_ 5.1.1
2. Customer Focus_ 5.1.2

5.2 Policy
5.2.1 Establishing the quality policy
Top management shall establish, implement and maintain a quality policy.
- Provides a framework for setting quality objectives

5.2.2 Communicating the quality policy

a) be available and be maintained as documented information;

b) be communicated, understood and applied within the organization;
c) be available to relevant interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities

6 Planning
6.1 Actions to address risks and opportunities
6.1.1
When planning for the QMS, the organization shall consider :
1. Issues referred to in 4.1
2. the requirements referred to in 4.2
3. determine the risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.

6.1.2 The organization shall plan:

a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4);
2) evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the
conformity of products and services.
NOTE 1 Options to address risks can include
1. avoiding risk,
2. taking risk in order to pursue an opportunity,
3. eliminating the risk source,
4. hanging the likelihood or consequences,
5. Sharing the risk, or
6. retaining risk by informed decision.

NOTE 2 Opportunities can lead to the

7. adoption of new practices,
8. launching new products,
9. opening new markets,
10. addressing new customers,
11. building partnerships,
12. using new technology and other desirable and viable possibilities to address the organization’s or its
customers’ needs.
 6.2 Quality objectives and planning to achieve them
6.2.1 The organization shall establish quality objectives at relevant functions, levels and processes
needed for the quality management system.

The quality objectives shall: a to g

The organization shall maintain documented information on the quality objectives.

6.2.2 When planning how to achieve its quality objectives, the organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.

6.3 Planning of changes The organization shall consider:

a) the purpose of the changes and their potential
When the organization determines the consequences;
need for changes to the quality b) the integrity of the quality management system;
management system, the changes c) the availability of resources;
shall be carried out in a planned manner d) the allocation or reallocation of responsibilities and
authorities.
7 Support
7.1 Resources
7.1.1 General
The organization shall determine and provide the resources needed for the establishment, implementation,
maintenance and continual improvement of the quality management system.

The organization shall consider:

a) the capabilities of, and constraints on, existing internal resources;
b) what needs to be obtained from external providers.
7.1.2 People

The organization shall determine and provide the persons necessary for the effective implementation
of its quality management system and for the operation and control of its processes.

7.1.3 Infrastructure

The organization shall determine, provide and maintain the infrastructure necessary for the operation
of its processes and to achieve conformity of products and services.

NOTE Infrastructure can include:

a) buildings and associated utilities;
b) equipment, including hardware and software;
c) transportation resources;
d) information and communication technology.

7.1.4 Environment for the operation of processes

The organization shall determine, provide and maintain the environment necessary for the operation
of its processes and to achieve conformity of products and services.

NOTE A suitable environment can be a combination of human and physical factors, such as:
a) social (e.g. non-discriminatory, calm, non-confrontational);
b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);
c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).
These factors can differ substantially depending on the products and services provided.
7.1.5 Monitoring and measuring resources
7.1.5.1 General
The organization shall determine and provide the resources needed to ensure valid and reliable
results when monitoring or measuring is used to verify the conformity of products and services to
requirements.

The organization shall ensure that the resources provided:

a) are suitable for the specific type of monitoring and measurement activities being undertaken;
b) are maintained to ensure their continuing fitness for their purpose.
The organization shall retain appropriate documented information as evidence of fitness for purpose of
the monitoring and measurement resources.
7.1.5.2 Measurement traceability
When measurement traceability is a requirement, or is considered by the organization to be an essential
part of providing confidence in the validity of measurement results, measuring equipment shall be:
a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards
traceable to international or national measurement standards; when no such standards exist, the
basis used for calibration or verification shall be retained as documented information;
b) identified in order to determine their status;
c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration
status and subsequent measurement results.

The organization shall determine if the validity of previous measurement results has been adversely
affected when measuring equipment is found to be unfit for its intended purpose, and shall take
appropriate action as necessary.
7.1.6 Organizational knowledge
The organization shall determine the knowledge necessary for the operation of its processes and to
achieve conformity of products and services.
This knowledge shall be maintained and be made available to the extent necessary.
When addressing changing needs and trends, the organization shall consider its current knowledge
and determine how to acquire or access any necessary additional knowledge and required updates.
NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by
experience. It is information that is used and shared to achieve the organization’s objectives.
NOTE 2 Organizational knowledge can be based on:
a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from
failures and successful projects; capturing and sharing undocumented knowledge and experience; the results
of
improvements in processes, products and services);
b) external s ources ( e.g. s tandards; a cademia; c onferences; g athering k nowledge f rom c ustomers o r
external providers).
7.2 Competence
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects the
performance and effectiveness of the quality management system;
b) ensure that these persons are competent on the basis of appropriate education, training, or
experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken;
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment
of currently employed persons; or the hiring or contracting of competent persons.
7.3 Awareness
The organization shall ensure that persons doing work under the organization’s control are aware of:
a) the quality policy;
b) relevant quality objectives;
c) their contribution to the effectiveness of the quality management system, including the benefits of
improved performance;
d) the implications of not conforming with the quality management system requirements.

7.4 Communication
The organization shall determine the internal and external communications relevant to the quality
management system, including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who communicates.
7.5 Documented information
7.5.1 General
The organization’s quality management system shall include:
a) documented information required by this International Standard;
b) documented information determined by the organization as being necessary for the effectiveness
of the quality management system.
NOTE The extent of documented information for a quality management system can differ from one
organization to another due to

— the size of organization and its type of activities, processes, products and services;
— the complexity of processes and their interactions;
— the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information, the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c) review and approval for suitability and adequacy.
7.5.3 Control of documented information
7.5.3.1 Documented information required by the quality management system and by this International
Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
7.5.3.2 For the control of documented information, the organization shall address the following
activities, as applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.
Documented information of external origin determined by the organization to be necessary for the
planning and operation of the quality management system shall be identified as appropriate, and
be controlled.
Documented information retained as evidence of conformity shall be protected from unintended
alterations.
NOTE Access can imply a decision regarding the permission to view the documented information only, or
the permission and authority to view and change the documented information.