Beyond Compliance

Navigating the Audit Landscape: Preparing for GCP, ISO 14155, and ISO 13485 Audits

Audits are an intrinsic part of operating within the highly regulated medical device and pharmaceutical industries. Whether conducted by regulatory bodies (like the FDA, EMA, or national authorities), notified bodies for certification (for ISO standards), or sponsors themselves (of clinical sites or vendors), audits serve as critical checkpoints to verify compliance with established standards and regulations. For companies involved in clinical trials (GCP, ISO 14155) or medical device manufacturing (ISO 13485), navigating this audit landscape effectively is not just about avoiding findings; it's about demonstrating a genuine commitment to quality, safety, and ethical conduct. Preparation is key, transforming a potentially stressful event into an opportunity to showcase robust systems and drive continuous improvement.

This article provides practical tips and strategies for companies in these sectors to successfully prepare for internal and external audits against Good Clinical Practice (GCP), ISO 14155 (Clinical investigation of medical devices), and ISO 13485 (Quality management systems for medical devices).

Understanding the Auditor's Perspective

Auditors are trained professionals tasked with assessing whether an organization's processes, procedures, and records comply with specific requirements (standards, regulations, internal SOPs). They follow a structured approach, typically involving:

  • Review of Documentation: Examining quality manuals, SOPs, work instructions, policies, protocols/CIPs, study plans, records (batch records, training records, complaint files, CAPA records, subject files, etc.).

     

  • Interviews: Talking to personnel at various levels to understand their roles, responsibilities, and how they perform their tasks.

     

  • Observation: Witnessing processes in action (e.g., manufacturing steps, data entry, device handling).

     

  • Sampling: Selecting specific records or processes for detailed examination to verify compliance.

     

Their goal is not to find fault for the sake of it, but to identify objective evidence of conformity or nonconformity with the applicable requirements. Understanding this perspective helps in focusing preparation efforts.

Preparing for GCP Audits

GCP audits, often conducted by sponsors or regulatory authorities, focus on the conduct of clinical trials involving human subjects. Key areas of auditor focus include:

  • Investigator Site File (ISF) and Sponsor File: Are these files complete, accurate, and up-to-date? Do they contain all essential documents as defined by ICH E6?

     

  • Informed Consent Process: Is there documented evidence that informed consent was properly obtained from every subject before any trial-specific procedures took place? Are consent forms current and signed/dated correctly?

     

  • Source Data Verification: Can the data recorded in the Case Report Forms (CRFs) be verified against the original source documents (e.g., medical records, lab reports)?

     

  • Adverse Event Reporting: Are all adverse events (AEs) and serious adverse events (SAEs) properly documented, assessed for causality and expectedness, and reported according to the protocol and regulatory requirements within specified timelines?

     

  • Protocol Adherence: Is there evidence that the trial was conducted strictly according to the approved protocol? Are any deviations documented and justified?

     

  • Investigator and Site Qualifications: Are the investigators qualified and adequately trained for their roles? Is the site adequately equipped?

     

  • Investigational Product Accountability: Is there a clear record of receipt, dispensing, retrieval, and destruction/return of the investigational product?

     

  • Data Management: Are data collection, entry, validation, and cleaning processes documented and followed?

     

  • Example (GCP): An auditor reviewing a subject's file might check the date on the informed consent form against the date of the first trial procedure. If the procedure date precedes the consent date, this would be a significant finding of non-compliance with a core GCP principle.

     

  • Statistic (GCP): According to FDA inspection data (e.g., from their Bioresearch Monitoring - BIMO program), common findings in clinical investigator site inspections often relate to inadequate record-keeping, issues with the informed consent process, and failure to follow the investigational plan/protocol. For instance, analyses of FDA warning letters related to clinical investigators frequently cite deficiencies in these areas.

     

Preparing for ISO 14155 Audits (Medical Device Clinical Investigations)

ISO 14155 audits build upon GCP principles but add specific requirements for medical device investigations. Auditors will look at GCP elements plus:

  • Clinical Investigation Plan (CIP): Is the CIP comprehensive and does it address device-specific aspects like detailed device description, instructions for use, and performance/usability endpoints?

     

  • Device Accountability: Is there a robust system for tracking individual investigational devices (by serial number, for example) assigned to each subject? Are records of device handling, maintenance, and disposition complete?

     

  • Risk Management Integration: Is there evidence that the risk management process (per ISO 14971) for the device informed the design and conduct of the clinical investigation? Are risks associated with the device use and procedure adequately addressed in the CIP and monitored?

     

  • Performance and Usability Data: Are the methods for collecting data on device performance and usability clearly defined and followed? Is the data reliable?

     

  • Handling of Device-Related Adverse Events: Are adverse events specifically linked to the device or its use clearly identified, assessed, and reported according to ISO 14155 and regulatory requirements?

     

  • Example (ISO 14155): An auditor might request records showing the calibration status of a piece of equipment used to measure a key performance parameter of the device during the investigation. If calibration records are missing or out of date, it could cast doubt on the reliability of the performance data collected.

     

  • Statistic (ISO 14155): While specific global statistics solely for ISO 14155 audit findings are less publicly aggregated than for ISO 13485 or general GCP, findings in medical device clinical investigation audits often mirror GCP issues but with a device-specific twist. Issues related to device accountability, deviations from the CIP related to device handling, and inadequate assessment/reporting of device-related adverse events are common areas of scrutiny.

     

Preparing for ISO 13485 Audits (Quality Management System)

ISO 13485 audits, typically conducted by notified bodies for certification or by regulatory authorities (especially for manufacturers), focus on the entire Quality Management System. Auditors will assess compliance with all relevant clauses of the standard:

  • Management Responsibility: Is there evidence that top management is involved in and committed to the QMS (e.g., management review minutes)?

     

  • Documentation Control: Are documents (SOPs, work instructions, forms) properly controlled, approved, distributed, and are obsolete versions removed?

     

  • Record Control: Are records (training records, batch records, CAPA files) identifiable, stored, protected, and retrievable?

     

  • Resource Management: Are personnel adequately trained and competent for their roles? Is infrastructure suitable?

     

  • Design and Development Controls: Is the design process documented and followed? Are design inputs, outputs, reviews, verification, and validation properly recorded? Is design change controlled?

     

  • Purchasing Controls: Is there a process for evaluating and approving suppliers? Are purchasing requirements clearly defined?

     

  • Production and Service Controls: Are manufacturing processes validated? Is product identification and traceability maintained? Are environmental controls (if needed) in place?

     

  • Control of Monitoring and Measuring Equipment: Is equipment calibrated and maintained?

     

  • Complaint Handling: Is there a process for receiving, evaluating, and investigating complaints?

     

  • Nonconforming Product: Is nonconforming product identified and controlled?

     

  • Internal Audits: Are internal audits planned and conducted regularly by trained auditors? Are findings addressed?

     

  • Corrective and Preventive Actions (CAPA): Is there a documented process for investigating root causes of nonconformities and potential nonconformities and implementing effective actions?

     

  • Management Review: Does top management review the QMS at planned intervals?

     

  • Example (ISO 13485): An auditor might select a sample of CAPA records. They will check if the root cause investigation was thorough, if the corrective/preventive action implemented was appropriate, and if there is evidence that the action was effective in preventing recurrence/occurrence. A common finding is inadequate root cause analysis or lack of verification of effectiveness.

     

  • Statistic (ISO 13485): Analysis of notified body findings from ISO 13485 audits consistently shows certain clauses as frequent sources of nonconformities. Clause 8 (Measurement, analysis and improvement - particularly CAPA and internal audits) and Clause 7 (Product realization - particularly design and development controls and production/process controls) are often among the top areas with findings. For example, a 2020 analysis by the European Association of Notified Bodies (TEAM-NB) highlighted CAPA and internal audits as leading causes of major nonconformities.

     

Practical Tips for Audit Preparation (Applicable to All Standards)

Regardless of the specific standard being audited, several universal strategies can significantly improve your readiness:

  1. Know the Standard/Regulation: Ensure all relevant personnel are trained on the applicable GCP guidelines, ISO 14155, ISO 13485, and relevant national regulations. Understanding the requirements is the first step to meeting them.

     

  2. Implement a Robust QMS (for ISO 13485): While this is the standard itself, having a functioning QMS, not just documented procedures, is key. Ensure your processes are actually followed in practice.

     

  3. Conduct Regular Internal Audits: Internal audits are invaluable practice for external ones. Use trained internal auditors to simulate external audits, identify gaps, and implement corrections proactively. Address all internal audit findings thoroughly and promptly.

     

  4. Maintain Meticulous Documentation: Ensure all required records are complete, accurate, legible, and readily accessible. Think of documentation as telling the story of your processes and activities. Incomplete or messy documentation is a major source of findings.

     

  5. Train Your Personnel (and document it): Ensure all staff involved in the scope of the audit are adequately trained for their specific roles and on the relevant procedures and standards. Maintain up-to-date training records.

     

  6. Perform a "Mock Audit" or Readiness Check: Before a major external audit (especially regulatory inspections), conduct a comprehensive internal review or mock audit covering all relevant areas. This helps identify last-minute gaps and familiarizes staff with the audit process.

     

  7. Review Previous Audit Findings: Analyze findings from past internal and external audits. Ensure that corrective actions have been effectively implemented and verified. Auditors often check if previous findings have been addressed.

     

  8. Prepare Key Personnel: Identify the individuals who will be interviewed during the audit. Ensure they understand their role, are familiar with the relevant procedures and documentation, and can clearly articulate their responsibilities and processes. Practice answering questions concisely and accurately.

     

  9. Organize Your Files and Records: Have essential documents and records readily available and organized logically. This demonstrates control and saves time during the audit.

     

  10. Establish an Audit Management Process: Have a clear plan for the audit day(s), including who will escort the auditor, who will be available for interviews, and how questions and requests for documentation will be managed efficiently. Designate a backroom team to retrieve requested documents quickly.

     

  11. Be Honest and Transparent: If a nonconformity is identified, acknowledge it, explain the process you have in place to address such issues (e.g., CAPA), and demonstrate your commitment to resolving it. Do not try to hide information.

     

Conclusion

Audits against GCP, ISO 14155, and ISO 13485 are not events to be feared but opportunities to validate the effectiveness of your quality systems and processes. By understanding the requirements of each standard, focusing on key areas of auditor scrutiny, and implementing proactive preparation strategies – including rigorous internal audits, meticulous documentation, and thorough personnel training – companies in the medical device and pharmaceutical industries can navigate the audit landscape with confidence. A well-prepared organization not only demonstrates compliance but also showcases a mature quality culture that is fundamental to ensuring patient safety and driving future innovation.

  • +972 52 6134368
  • P.O.Box 7746 Haifa, 3107701, Israel
  • info@qa-insight.com