Google Analystics

Tuesday, 16 July 2019

Conducting Internal Audits for ISO 9001:2015

I recently received an email from a newly trained lead auditor asking for advice on conducting an internal audit. He was totally focused on a massive and detailed checklist for identifying gaps with ISO 9001:2015. When one receives ISO 9001:2015 lead auditor training, they generally teach you how to do Third Party audits - and little else. Therefore, it is a common but understandable mistake for newly trained lead auditors to conduct internal audits as if they were conducting a certification or surveillance audit by a 3rd party auditor. I know, because I did it myself for a while. So, here is a handful of important considerations to make your first internal audit less daunting. Or, if you have been treating your internal audits as mini certification audits then there is something here for you too.

The Quality Management System (QMS)

If your organization is, indeed, ISO 9001 certified, then an accredited auditor has certified that your QMS is ISO 9001:2015 conformant. You do NOT have to do that all over again. What you have to do now is verify - from evidence - that the people in your organization are executing on the procedures and processes that are laid out in your Quality Management System (QMS). It should go without saying that you need to be familiar with your organization's QMS, and the roles and responsibilities defined in its processes.

Internal Audit Process

First off, your QMS should have procedures and processes covering internal audits. You need to conduct your internal audits in conformity with that. If those procedures/processes are deficient then you should write up an appropriate finding. The audit process as laid out in your QMS should include something about having a schedule of internal audits. A good practice is to have an internal audit every quarter of the year where each audit covers at least a quarter or more of the QMS. Your internal audit should follow a plan that you, the lead auditor have drawn up based on  the scheduled content of internal audits. This plan is reviewed and approved by top management in the organization before the opening meeting of your internal audit.

Corrective Action (CA)

An important item to be audited in each audit is to follow up on corrective actions for nonconformities (NCs) found in the previous audit. Your QMS should have one or more processes defined for the handling of corrective actions. Is your organization following that process? NCs from previous audits, especially 3rd Party audits, are the most important corrective actions to follow up on, but a sample of other NCs should be reviewed as well, especially those originating from customer complaints.


You cannot audit every single operational thing that an organization does. Have a system of sampling. This could be random sampling where, for example, you throw dice for your starting point and then take every Nth instance to ensure a certain percentage coverage; or risk based, where you focus on items that are safety related or that suggest financial risk if not performed satisfactorily. For random sampling I like to use Random.Org. (


When you think you have found a nonconformity (NC), be very clear in your own mind what the requirement is in terms of your QMS process. If the QMS states: "Document the customer's training needs in such-and-such a file in the customer's folder" - and this is simply being held in someone's emails instead, then write up your finding clearly showing where the requirement can be found in the QMS - chapter and verse. Somebody following in your footsteps should be able to locate the same evidence that you used and reproduce your findings and, from the evidence, come to the same conclusion as you did. As far as possible, without being argumentative, the manager or lead responsible for the process should be in agreement that the requirement has not been met.


Remember, an important rule of auditing is that an auditor may not audit their own work. If you are the Sales Manager in the organization, or in charge of Quality Control, then you may not audit those departments if you have performed or signed off on any of the work that is being audited. This means that you will need to train one or more other people in your organization to be part of an audit team which you would lead. They do not need to have Third Party Lead Auditor training; they do need to have some introductory training in the requirements of the ISO 9001 standard and familiarity with the QMS. To preserve their freedom to audit without fear of repercussion, they should not be in your reporting structure. Even if you are well respected, there should be no perception of a conflict of interest. When you move on, your replacement in the organization may not be such a nice person as you. In the meantime, while you are the only auditor, you can begin auditing other parts of the organization. For all the same reasons, it is not a good idea for you to interview personnel who report directly to you.

The Audit Report

Look for the positive - where people are doing a good job, and where the QMS is working well for the organization. Make sure that this comes out in the beginning of your audit report. Very importantly, remember that we AUDIT THE SYSTEM, NOT THE PEOPLE. If there is an NC it is because the system has allowed it to happen. Ensure that people associated with an NC are given an opportunity to explain why it might not be an NC, or that they agree that it is, indeed, a nonconformity. They will, in all likelihood, be involved in the corrective action and so the organization needs them to be on board during root cause analysis.

Have you watched my video, A Common Mistake in ISO training?
Nothing else that I can tell you is more important that what I say there!

- W. Edwards Deming quoting Arthur Jones.

Thursday, 11 April 2019

You are part of the Internet of Things (IoT) - like it or not

From military operations to healthcare, children’s toys to appliances, anything that accesses the internet and pulls data from it is considered part of the Internet of Things (IoT). How many 'Things' in your business or private life are part of the IoT? Have you even given a second thought to the security risks?
Katie Williard of The Core Solution offers some food for thought if you have not thought too much about it before. Read her article here.

Thursday, 7 March 2019

Survivorship Bias

Published by David McRaney  in 2013, I found this article, Survivorship Bias, on the web while looking for information on a brilliant stats-mathematician by the name of Abraham Wald.

A five to ten minute read, I found the article fascinating with lots of food for thought - challenging what often appears axiomatic. To illustrate a point about survivorship bias, Wald comes into the picture because he was called upon to help determine where additional armour should be placed to increase the chances of WW II British and American bombers and their crews making it back to base after a bombing mission - missions that always included running the gauntlet of heavy anti-aircraft artillery and the consequent heavy loss of aircraft and life. The military examined planes that returned and documented where the most damage was. It looked like this:

Military commanders wanted to put the thicker protection where they could clearly see the most damage, where the holes clustered. Were they right? No. Read the article to find out why - and why it's time to review many of your obviously correct assumptions about so many things.

Survivorship Bias by David McRaney

Friday, 1 March 2019

Tuesday, 19 February 2019

Does ISO 13485 imply that a medical device is proven effective?

I received the following question from someone who viewed my video What is ISO 13485 for medical devices?

If a product has ISO 13485 certification, it means the product is of high quality, trustworthy, and reliable enough to be used as a medical device in any hospital / medical setting - correct?

Does it also imply that its performance or effectiveness is proven too?

Here is my reply...

Remember, it is the organisation, not the product, that is certified. Once the organisation is certified, all product should be manufactured following due process according to the quality management system as laid out in the Quality Manual.

For me, if a medical device manufacturer does not have ISO 13485 certification then they do not warrant a second look. ISO 13485 should be the first requirement for supplier qualification, but certainly NOT the only requirement.

Having ISO 13485 merely gets a manufacturer to first base. It is not a home run. The customer needs to do due diligence to ensure the medical device truly meets all requirements that are critical to quality for their use including, if appropriate, satisfactorily passing a supplier (2nd party) audit.