Quality Management System audits and nonconformities

Manufacturers holding or applying for a Part 1 conformity assessment certificate generally showed fewer major and minor nonconformities. Manufacturers implementing a full QMS showed better compliance with ISO 13485:2016 than those implementing a QMS for Production (Part 4) or Product (Part 5) quality assurance purposes.

Average number of nonconformities per audit by certificate scope

Manufacturers of higher-risk medical devices (Class III, Class 4 IVD) showed better compliance with ISO 13485:2016 than those producing Class IIa, Class IIb, Class 2 IVD, and Class 3 IVD devices. A limited number of Class Im and Class Is devices (n = 2) were audited over the reporting period.

Average number of nonconformities per audit by device class

Over the reporting period, we conducted 19 initial audits and 40 audits for surveillance or recertification purposes. Initial audits resulted in a higher number of nonconformities compared to surveillance or recertification.

While the number of minor nonconformities found at domestic and overseas manufacturing facilities was comparable, major nonconformities were 44% lower at overseas sites. Contributing factors include the size and maturity of overseas manufacturers and the number of audits they undergo.

Most cited

This report only covers the primary clause to which the nonconformity applies. 

Nonconformities by high-level clause of ISO 13485:2016.

QMS: general

Major Nonconformities: 16 
Minor Nonconformities: 7

Clause 4.2.1 of ISO 13485:2016 sets out various documentation required for inclusion in a manufacturer’s QMS. 

This clause includes documentation specified by applicable regulations, such as the Declaration of Conformity, and other documentation required to demonstrate compliance with the Essential Principles. 

Clause 4.2.1 nonconformities are often a failure to meet regulatory requirements.

• Regulatory requirements 
• EP Checklist and declaration of conformity
• Risk management
• Clinical evidence
• Other EP compliance

QMS: general requirements

Major Nonconformities: 15
Minor Nonconformities: 25

Clause 4.1 of ISO 13485:2016 defines the requirements for a QMS, its processes, planning and change control, outsourcing, and QMS software validation. 

Nonconformities raised under Clause 4.1 indicate that high-level requirements for the QMS or QMS processes were not identified, established, or implemented. 

• Requirements (e.g. competency and training and supplier management procedures)
• QMS change control 
• Not implementing risk-based rationales 
• ISO 14971 compliance
• QMS software validation 

Purchasing: process

Major Nonconformities: 12
Minor Nonconformities: 20

Clause 7.4.1 of ISO 13485:2016 outlines the requirements for supplier management. 

Before engaging suppliers, criteria for selection and performance should be defined.

The standard sets out the requirements for supplier monitoring, control, and re-evaluation, with decisions taken commensurate to risk. 

Nonconformities raised under Clause 7.4.1 were often cross-referenced to Clause 4.1.5, reflecting the requirement to control outsourced processes. 

• Supplier evaluation
• Approved supplier list
• Supplier monitoring
• Supplier agreement

Improvement: corrective action

Major Nonconformities: 12
Minor Nonconformities: 14

Corrective action is defined as action to eliminate the cause of a nonconformity and prevent recurrence (ISO 9000:2015). 

Clause 8.5.2 of ISO 13485:2016 requires corrective action to be taken without undue delay and proportionate to the effects of the nonconformities encountered. 

As such, procedures need to specify how to identify nonconformities and their cause, plan and document the action needed to eliminate and prevent recurrence of the nonconformity and verify the effectiveness of the corrective action (that the nonconformity has not recurred). 

• Root cause analysis
• Corrective actions not raised
• Corrective actions not taken without undue delay and not verified

Other common nonconformities

Documentation requirements: document and record control

• Major Nonconformities Clause 4.2.4: 10
• Minor Nonconformities Clause 4.2.4: 30
• Major Nonconformities Clause 4.2.5: 6
• Minor Nonconformities Clause 4.2.5: 35

Clause 4.2.4 and 4.2.5 of ISO 13485:2016 specify requirements for controlling documents and records, including review and approval, maintaining integrity, identification, availability, and accuracy. 

We found that more than half the manufacturers audited over the 2-year period had nonconformities in document and record control. 

We most commonly cross-referenced these nonconformities against:

• Management review: Clause 5.6, 5.6.2
• Control of production and service provision: Clause 7.5.1
• Identification: Clause 7.5.8
• Quality objectives: Clause 5.4.1

Cross-referencing reflects the areas of the QMS in which documentation and records are not maintained to the requirements of ISO 13485:2016.

• Review and approval
• Change control
• Documents of external origin
• Identification
• Availability
• Retention

Monitoring and measurement: internal audit

Major Nonconformities: 5
Minor Nonconformities: 26

Clause 8.2.4 of ISO 13485:2016 outlines requirements to plan and conduct internal audits that determine whether the QMS conforms to the requirements of the standard and applicable regulatory requirements, and whether it is effectively implemented and maintained. 

Internal audits allow for the evaluation of each QMS process to assess its adequacy, suitability, and effectiveness and forms a key input into management reviews. 

• Insufficient inputs
• Competency
• Corrective actions not raised from findings

 Resource management: human resources

Major Nonconformities: 7
Minor Nonconformities: 22

Clause 6.2 of ISO 13485:2016 specifies requirements for ensuring that personnel performing work affecting product quality are appropriately competent to do so. 

Competency can be established by education, training, skills, and experience. QMS training and other internal training on processes and procedures is required. 

Nonconformities relating to training records were cross-referenced against Clause 4.2.5.

• Competency
• Training
• Forgotten training

Production and service provision: control of production and service provision

Major Nonconformities: 7
Minor Nonconformities: 19

Clause 7.5.1 of ISO 13485:2016 sets out requirements for planning, undertaking, monitoring, and controlling production to ensure product conforms to requirements. 

Production controls need to be in place for qualifying equipment, monitoring and measuring outputs and processes, and handling packaging, labelling, and product release. 

• Record traceability
• Production process

Definitions

Major nonconformity

A major nonconformity is a nonconformity that:

• Has produced or may produce a product which does not comply with its marketing authorisation or the applicable regulatory requirements (e.g. Act or Regulations); and/or
• Indicates a major deviation from the QMS standard, including any unjustified exclusion of a regulatory requirement from the Manufacturer’s QMS; and/or
• Indicates a major deviation from the conditions of the Conformity Assessment Certificate or other certificate issued by the TGA; and/or
• Indicates a failure to carry out satisfactory procedures for release of batches; and/or
• Indicates a failure of the person responsible for QA to fulfil his/her duties; and/or
• Consists of several other nonconformities, none of which on their own may be Major, but which may together represent a major nonconformity and should be explained and reported as such.

Minor nonconformity

A Minor nonconformity is a nonconformity that cannot be classified as Major but indicates a departure from the applicable standard or regulatory requirement.

1. Categorisation of a nonconformity is based on the assessed risk level and may vary depending on the nature of products manufactured. 
2. A nonconformity that had been reported at a previous audit and was not corrected may be reported as a higher classification.
3. One-off minor lapses or less significant issues were usually not formally reported but were brought to the attention of the manufacturer in the exit meeting or during the audit.