Quality Management System audits and nonconformities
A summary of TGA on-site and remote audits of medical device manufacturers
Purpose
This report covers the period from 1 July 2021 to 30 June 2023. It provides a high-level overview of common quality management system (QMS) nonconformities. Desktop QMS audits are not included in the data presented.
Background
The Devices Manufacturing Quality Section performs QMS audits of medical device manufacturing facilities. We conduct a full program of on-site or remote audits for manufacturers who elect to obtain and maintain certification issued by the TGA, including certification issued under a Mutual Recognition Agreement.
Audits conducted include:
- Certification and recertification audits (a full-scope QMS audit)
- Surveillance audits (a reduced scope QMS audit)
- “For cause” audits (an audit of a manufacturer with evidence from a comparable overseas regulator where there is a performance or safety signal).
Audits are to establish compliance with:
- Therapeutic Goods Act 1989
- Therapeutic Goods (Medical Devices) Regulations 2002
- ISO 13485:2016 Medical Devices – Quality Management Systems – Requirements for regulatory purposes
- Conditions of existing TGA issued certificates (if applicable)
Nonconformities are raised when non-compliance with the above is identified.
Audits conducted
Location | FY 2021-22 | FY 2022-23 |
|---|---|---|
| Domestic | 24 | 17 |
| Overseas | 4 | 14 |
Audits cover a broad range of medical devices. Including, sterile (EtO, steam, gamma, aseptic) and non-sterile devices, software, implantable devices, procedure packs, in-vitro diagnostics (IVDs), and imaging systems.
Manufacturer compliance
We assess manufacturer compliance by the number of nonconformities we identify during the audit.
Rating | Major nonconformities | Minor nonconformities |
|---|---|---|
| Good (A1) | 0 | < 10 |
| Satisfactory (A2) | 1-5 | < 20 |
| Basic (A3) | 6-10 | < 30 |
| Unacceptable (U) | > 10 |
|
Compliance compared to previous audit
Manufacturers holding or applying for a Part 1 conformity assessment certificate generally showed fewer major and minor nonconformities. Manufacturers implementing a full QMS showed better compliance with ISO 13485:2016 than those implementing a QMS for Production (Part 4) or Product (Part 5) quality assurance purposes.
Average number of nonconformities per audit by certificate scope
Manufacturers of higher-risk medical devices (Class III, Class 4 IVD) showed better compliance with ISO 13485:2016 than those producing Class IIa, Class IIb, Class 2 IVD, and Class 3 IVD devices. A limited number of Class Im and Class Is devices (n = 2) were audited over the reporting period.
Average number of nonconformities per audit by device class
Over the reporting period, we conducted 19 initial audits and 40 audits for surveillance or recertification purposes. Initial audits resulted in a higher number of nonconformities compared to surveillance or recertification.
While the number of minor nonconformities found at domestic and overseas manufacturing facilities was comparable, major nonconformities were 44% lower at overseas sites. Contributing factors include the size and maturity of overseas manufacturers and the number of audits they undergo.
| Domestic | Overseas | Combined |
|---|---|---|---|
| Average Major Nonconformities per Audit | 3.4 | 1.9 | 2.9 |
| Average Minor Nonconformities per Audit | 8.4 | 7.9 | 8.3 |
Most cited
This report only covers the primary clause to which the nonconformity applies.
Nonconformities by high-level clause of ISO 13485:2016.
QMS: general
Major Nonconformities: 16
Minor Nonconformities: 7
Clause 4.2.1 of ISO 13485:2016 sets out various documentation required for inclusion in a manufacturer’s QMS.
This clause includes documentation specified by applicable regulations, such as the Declaration of Conformity, and other documentation required to demonstrate compliance with the Essential Principles.
Clause 4.2.1 nonconformities are often a failure to meet regulatory requirements.
- Regulatory requirements
- EP Checklist and declaration of conformity
- Risk management
- Clinical evidence
- Other EP compliance
QMS: general requirements
Major Nonconformities: 15
Minor Nonconformities: 25
Clause 4.1 of ISO 13485:2016 defines the requirements for a QMS, its processes, planning and change control, outsourcing, and QMS software validation.
Nonconformities raised under Clause 4.1 indicate that high-level requirements for the QMS or QMS processes were not identified, established, or implemented.
- Requirements (e.g. competency and training and supplier management procedures)
- QMS change control
- Not implementing risk-based rationales
- ISO 14971 compliance
- QMS software validation
Purchasing: process
Major Nonconformities: 12
Minor Nonconformities: 20
Clause 7.4.1 of ISO 13485:2016 outlines the requirements for supplier management.
Before engaging suppliers, criteria for selection and performance should be defined.
The standard sets out the requirements for supplier monitoring, control, and re-evaluation, with decisions taken commensurate to risk.
Nonconformities raised under Clause 7.4.1 were often cross-referenced to Clause 4.1.5, reflecting the requirement to control outsourced processes.
- Supplier evaluation
- Approved supplier list
- Supplier monitoring
- Supplier agreement
Improvement: corrective action
Major Nonconformities: 12
Minor Nonconformities: 14
Corrective action is defined as action to eliminate the cause of a nonconformity and prevent recurrence (ISO 9000:2015).
Clause 8.5.2 of ISO 13485:2016 requires corrective action to be taken without undue delay and proportionate to the effects of the nonconformities encountered.
As such, procedures need to specify how to identify nonconformities and their cause, plan and document the action needed to eliminate and prevent recurrence of the nonconformity and verify the effectiveness of the corrective action (that the nonconformity has not recurred).
- Root cause analysis
- Corrective actions not raised
- Corrective actions not taken without undue delay and not verified
Other common nonconformities
Documentation requirements: document and record control
- Major Nonconformities Clause 4.2.4: 10
- Minor Nonconformities Clause 4.2.4: 30
- Major Nonconformities Clause 4.2.5: 6
- Minor Nonconformities Clause 4.2.5: 35
Clause 4.2.4 and 4.2.5 of ISO 13485:2016 specify requirements for controlling documents and records, including review and approval, maintaining integrity, identification, availability, and accuracy.
We found that more than half the manufacturers audited over the 2-year period had nonconformities in document and record control.
We most commonly cross-referenced these nonconformities against:
- Management review: Clause 5.6, 5.6.2
- Control of production and service provision: Clause 7.5.1
- Identification: Clause 7.5.8
- Quality objectives: Clause 5.4.1
Cross-referencing reflects the areas of the QMS in which documentation and records are not maintained to the requirements of ISO 13485:2016.
- Review and approval
- Change control
- Documents of external origin
- Identification
- Availability
- Retention
Monitoring and measurement: internal audit
Major Nonconformities: 5
Minor Nonconformities: 26
Clause 8.2.4 of ISO 13485:2016 outlines requirements to plan and conduct internal audits that determine whether the QMS conforms to the requirements of the standard and applicable regulatory requirements, and whether it is effectively implemented and maintained.
Internal audits allow for the evaluation of each QMS process to assess its adequacy, suitability, and effectiveness and forms a key input into management reviews.
- Insufficient inputs
- Competency
- Corrective actions not raised from findings
Resource management: human resources
Major Nonconformities: 7
Minor Nonconformities: 22
Clause 6.2 of ISO 13485:2016 specifies requirements for ensuring that personnel performing work affecting product quality are appropriately competent to do so.
Competency can be established by education, training, skills, and experience. QMS training and other internal training on processes and procedures is required.
Nonconformities relating to training records were cross-referenced against Clause 4.2.5.
- Competency
- Training
- Forgotten training
Production and service provision: control of production and service provision
Major Nonconformities: 7
Minor Nonconformities: 19
Clause 7.5.1 of ISO 13485:2016 sets out requirements for planning, undertaking, monitoring, and controlling production to ensure product conforms to requirements.
Production controls need to be in place for qualifying equipment, monitoring and measuring outputs and processes, and handling packaging, labelling, and product release.
- Record traceability
- Production process
Definitions
Major nonconformity
A major nonconformity is a nonconformity that:
- Has produced or may produce a product which does not comply with its marketing authorisation or the applicable regulatory requirements (e.g. Act or Regulations); and/or
- Indicates a major deviation from the QMS standard, including any unjustified exclusion of a regulatory requirement from the Manufacturer’s QMS; and/or
- Indicates a major deviation from the conditions of the Conformity Assessment Certificate or other certificate issued by the TGA; and/or
- Indicates a failure to carry out satisfactory procedures for release of batches; and/or
- Indicates a failure of the person responsible for QA to fulfil his/her duties; and/or
- Consists of several other nonconformities, none of which on their own may be Major, but which may together represent a major nonconformity and should be explained and reported as such.
Minor nonconformity
A Minor nonconformity is a nonconformity that cannot be classified as Major but indicates a departure from the applicable standard or regulatory requirement.
- Categorisation of a nonconformity is based on the assessed risk level and may vary depending on the nature of products manufactured.
- A nonconformity that had been reported at a previous audit and was not corrected may be reported as a higher classification.
- One-off minor lapses or less significant issues were usually not formally reported but were brought to the attention of the manufacturer in the exit meeting or during the audit.