Standard Operating Procedure for Auditing and Reporting

Standard Operating Procedure for AUDITING AND REPORTING

Purpose

The purpose of this procedure is to detail the auditing process that would be undertaken by the PRNS Certifications Services (PRNS). This document shall list and describe the activities that would be performed by PRNS during the audit process at the client site.

 

Scope:

This procedure applies to the following auditing processes performed by PRNS.

a) Initial certification audit
b) Surveillance audit
c) Recertification audit

 

Procedure:-

Auditing processes include three types of audits:

a. Initial certification audit – This audit consists of two stages

1. 1. Stage 1 audit – Stage 1 audit is performed to ensure the readiness of the client for the detailed Stage 2 audit.
   2. Stage 2 audit – Stage 2 audit is a detailed thorough assessment performed to establish whether the organization’s Management Systems is compliant with the relevant standard and seek evidence that the organization is following the documentation.

b. Surveillance audits – These audits are done annually to ensure that the management system of the client is working effectively after the initial audit.

c. Re-certification audits – These are performed after every three years to ensure that the client is maintaining to adhere to the management system standards and no major changes have occurred since the previous certification.

 

Procedure for the Initial certification audit

• Once, a formal contract is signed, PRNS will appoint a competent audit team and notify the client of the team members. If required, PRNS will add technical experts (TE) to make the team competent.
• PRNS shall share the CVs of the nominated audit team members with the client to identify any conflict-of- interest issues. If any objection is received from the client, PRNS will accordingly revise the team with justified reason.
• Initial certification audit shall be conducted in two stages: Stage-I audit, and stage-II audit.

 

Stage 1 audit process

• PRNS auditors shall perform the Stage 1 audit on-site based on contract review and IAF MD 9:2023 document, however higher risk medical device categories as per Annex A of IAF MD 9:2023 e.g. MTA A.1.2, A.1.3, A.1.5, A. 1.6, implantable (Active & Non-active) and active medical devices. In the case of multiple locations, the Stage 1 audit will be conducted at the main/head office.
• If any higher risk medical devices (e.g. GHTF C and D) are concerned then the PRNS shall ensure to perform the on-site audit for effective assessment of the client’s readiness and understanding of regulatory and QMS requirements
• TL shall notify the client of the documents required to be submitted on the day of the audit.
• On the start day of the Stage 1 audit, TL shall conduct an opening meeting on-site. TL shall introduce the audit team and explain the Stage 1 audit process and address any questions either side might have.
• The audit team shall then meet the objectives of Stage 1 as mentioned below, but not limited to;

• • Is to evaluate the effectiveness of the organization’s implemented management system for the below criteria covering the following:
  • review the client’s management system documented information
  • Assess the client's specific conditions and engage in discussions with the client's team to evaluate their readiness for stage 2
  • Review the client's status and comprehension of the standard's requirements, particularly in relation to identifying key performance indicators or significant aspects, processes, objectives, and the functioning of the management system
  • Gather essential information regarding the scope of the management system, including:
    • The client's site(s)
    • Processes and equipment utilized
    • Levels of control established, especially for multi-site clients
• Applicable statutory and regulatory requirements
  • • Review the resource allocation for stage 2 and finalize the details of stage 2 with the client
    • Gain a thorough understanding of the client’s management system and site operations in relation to the management system standard or other normative document to effectively plan stage 2
• Assess whether internal audits and management reviews are being planned and conducted, and ensure that the level of management system implementation confirms the client's readiness for stage 2.
• Review the allocation of resources for stage 2 and agree on the details of stage 2 with the client
  provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative documents. Evaluate if the internal audits and management reviews are being planned and performed and that the level of implementation of the management system substantiates that the client is ready for stage 2.

 

Stage 2 audit process

• Stage 2 audit report make PRNS formal documents of the audit process, result and recommendation.
• The audit team shall then meet the objectives of Stage 2 as mentioned below, but not limited to:

Is to evaluate the implementation including the effectiveness of the organization’s implemented management system for the below criteria covering the following:

• • Information and evidence about conformity to all requirements of the applicable management system standard or other normative documents
  • Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document)
  • Organization’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements
  • operational control of the organization’s processes
  • Internal auditing and management review
  • verify that the client has identified the necessary controls based on a risk assessment and to evaluate whether the established information security objectives have been met.
  • Management responsibility for the client’s policies.
  • Verify that the client has identified the necessary controls based on a risk assessment and to evaluate whether the established information security objectives have been met (ISMS Specific)
• The audit team leader shall provide at least the following information to PRNS for the decision on certification:
  • Comments on non-conformities and, where applicable, the correction and corrective action taken by the client
  • Confirmation of the information provided by the client, e.g., scope, outsourced activities, non-applicability, etc.
  • A recommendation whether or not to grant certification, together with any conditions or observations.
• After the completion of the audit, the team leader shall submit all original documents (Audit notes of self, co-auditors and technical expert*) along with a copy of the non-conformity report as applicable for review and approval by the certification panel.
• The client shall immediately receive the original non-conformity report for identifying the correction and corrective actions reported by the auditor during the Audit time. After closing the CAPA, Team Leader shall approve the closure and forward the to the certification panel of PRNS.
• Recommendation letter shall be issued by the certification Panel and issuing the certificate for the client. This process will take 2-3 weeks of time.

 

Procedure for the Surveillance audit

• Surveillance Audit is done at least once a year for ongoing certification cycle activity.
• Team leader ensure for all management system requirements are covered over the Surveillance Cycle.
• Major Audited activity shall be (but not limited to) :

• • internal audits and management review,
  • Any complaints or Feedbacks
  • Performance of Continues improvement
  • Any changes since Last Audit
  • Effectiveness of corrective actions
  • Any adverse events, Advisory notice and recalls.
  • review of actions taken on nonconformities identified during the previous audit
  • use of marks and/or any other reference to certification
  • continuing operational control
  • progress of planned activities aimed at continual improvement
  • effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s)
• Manday estimation and Planning of audit shall be done by the team leader.
• Audit report shall be submitted in defined Timeline i.e (7-10 Working Days)
• On-site Surveillance activities shall include fulfilment of specified requirements with respect to the standard to which the certification is granted.
  • enquiries from the certification body to the certified client on aspects of certification;
  • reviewing any  certified  client’s  statements  with  respect  to  its  operations  (e.g.  promotional material, website);
  • requests to the certified client to provide documented information (on paper or electronic media);
  • other means of monitoring the certified client’s performance

 

SA 1

• The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date.
• This is ensured by initiating the following actions,

• • The notice of the first surveillance due is issued to the client at least 90 days in advance of the due date.
  • If no confirmation about the audit date is received within 60 days from the date of the notice, a first reminder is sent to the client.
  • If again, no confirmation about the audit date is received within 30 days of the first reminder, a second reminder is sent.
  • If no audit is conducted before the due date, a suspension notice is issued to the client, effective the next day.
  • After suspending the client, further actions will be initiated as described in the SOP for Issue and Control, Suspension and Withdrawal of Certificate (PRNS-P-019)

 

SA 2

• The second surveillance shall be done within 12 months from the due date of surveillance 1 audit. Maximum gap between two audits shall not be more than a year.
• To ensure a timely audit, PRNS initiates the same actions as described above for first surveillance.
• PRNS clearly defines and communicates in advance to certified clients the specific circumstances under which unannounced audits may be conducted as part of surveillance activities. This information will be provided to ensure transparency and allow clients to be prepared for potential audits.
• And whole process will be done as per mentioned above.

 

Procedure for the Re-Certification Audit

• The purpose of the re-certification audit is to confirm the continued conformity and effectiveness of the management system as a whole and its continued relevance and applicability for the scope of certification. The re-certification audit shall include a review of the performance of the management system over the period of certification and the previous surveillance audit reports.

 

Procedure for Special Audit

Procedure for Extension Audit

• If it is intended to extend the scope of an existing certificate, this can be implemented by means of an extension audit.
• An extension audit can be conducted within the framework of a surveillance audit, a recertification audit or at a time which is set independently.
• The period of validity of a certificate does not change as a result. Exceptions must be justified in writing.

 

Procedure for Short-Notice/unannounced audit

• It may be necessary at short notice to investigate complaint, in response to changes or as follow up on suspended client.
• In such cases

• • the certification body shall describe the conditions under which this short notice announced visits are to be conducted,
  • Objection does not exist the possibility to raise against members of the audit team

• this audit is required when (as per IAF MD 9, Clause MD 9.6.4.2)

• • external factors apply such as;
• Devices in scope of certification indicate a possible significant deficiency in the quality management system significant safety related information becoming known to the PRNS
• significant safety and performance related information becoming known to the CAB
• significant changes occur which have been submitted as required by the regulations or become known to the CAB, and which could affect the decision on the client’s state of compliance with the regulatory requirements.
• when required by legal requirements under public law or by the relevant Regulatory Authority
• The following are examples of such changes which could be significant and relevant to the CAB when considering that a short notice or unannounced audit is required, although none of these changes should automatically trigger a short term or unannounced audit:a. QMS – impact and changes:
  • new ownership
  • extension to manufacturing and/or design control
  • new facility, site change

• • • modification of the site operation involved in the manufacturing activity (e.g., relocation of the manufacturing operation to a new site or centralizing the design and/or development functions for several manufacturing sites)
  • new processes, process changes
    • significant modifications to special processes (e.g., change in production from sterilization through a supplier to an on-site facility or a change in the method of sterilization)
  • QM management, personnel
    • modifications to the defined authority of the management representative that impact
  • quality management system effectiveness or regulatory compliance
  • the capability and authority to assure that only safe and effective medical devices are released

 

b. Product Related Changes:

1. 1. new products, categories
   2. addition of a new device category to the manufacturing scope within the quality management system (e.g., addition of sterile single use dialysis sets to an existing scope limited to haemodialysis equipment, or the addition of magnetic resonance imaging to an existing scope limited to ultrasound equipment)

 

c. QMS & Product related changes

1. 1. changes in standards, regulations
   2. post market surveillance, vigilance

• An unannounced or short-notice audit may also be necessary if the CAB has justifiable concerns about implementation of corrective actions or compliance with standard and regulatory requirements.
• And whole process will be done as per mentioned above step by step.

 

Transfer of accredited certificates (Done as per IAF MD 2:2017):

• In general, only certificates from accredited certification bodies can be taken over. Organizations with certificates which originate from non-accredited certification bodies are treated like new clients then process will be start from beginning Client Application Form and after reviewing the application that products are fall under the scope or not, Contract Review and Audit Programming Form generated.
• A "Pre-Transfer-Review” must be conducted by a competent person from the certification body which is taking over the certificate. During this process PRNS shall obtained sufficient information in order to take a decision on certification and inform the transferring client of the process.
• PRNS shall conduct the review of all the documents, for example there are outstanding major nonconformities, shall include a pre-transfer visit to the transferring client to confirm the validity of the certification.
• The review shall cover the following aspects as a minimum and the review and its findings shall be fully documented:

• • confirmation that the client’s certification falls within the accredited scope of the issuing and accepting certification body;
  • confirmation that the issuing certification body’s accredited scope falls within its accreditation body’s scope;
  • the reasons for seeking a transfer
  • hat the site or sites wishing to transfer certification hold a valid accredited certification;
  • the initial certification or most recent recertification audit reports, and the latest surveillance report; the status of all outstanding nonconformities that may arise from them and any other available, relevant documentation regarding the certification process. If these audit reports are not made available or if the surveillance audit or recertification audit has not been completed as required by the issuing certification body’s audit programme, then the organization shall be treated as a new client;
  • complaints received and action taken;
  • considerations relevant to establishing an audit plan and an audit programme. The audit programme established by the issuing certification body should be reviewed if available.
  • any current engagement by the transferring client with regulatory bodies relevant to the scope of the certification in respect of legal compliance.

• Certificates which have been suspended, or where there is risk of suspension, may not be taken over. Any nonconformities which have not been corrected should as far as practicable be clarified with the previous Certifier before the takeover. Otherwise, they must be dealt with in the audit.
• The further surveillance programme is based on the programme which has been in place up to the time of the takeover of the certificate.

 

Identification and Recording of Nonconformities

Nonconformities can be these but not limited to this

1. 1. failure to address applicable requirements for quality management systems (e.g. failure to have a complaint handling or training system)
   2. failure to implement applicable requirements for quality management systems
   3. failure to implement appropriate corrective and preventative action when an investigation of post market data indicates a pattern of product defects
   4. products which are put onto the market and cause undue risk to patient and/or users when the device is used according to the product labelling
   5. the existence of products which clearly do not comply with the client’s specifications and/or the regulatory requirements
   6. repeated nonconformities from previous audits

Audit non-conformities are classified as major non-conformity and minor non-conformity

 

1. Major Non-Conformance  

Major NC is a non-compliance of a serious nature that may have a significant and direct adverse impact on the quality of the product / services provided by the client. Multiple minor non-compliance may also be flagged as major Non conformity, because this shows a lack of knowledge or lack of commitment. Major non-conformities must be responded to, corrected and formally closed-out, preferably within 90 days. These are re-verified by the auditors, mostly by revisiting the audit site. Only after satisfactory closure of major non conformities the certification and registration can proceed. Major non-conformity related to legal non-compliance may be closed by perusal of documentary evidence submitted to the PRNS without any re-visit at the audit site.

 

2. Minor Non-Conformance  

Minor NC is a non-compliance of less serious nature that does not cause significant adverse impact over the goods or services provided by the client. These Minor non conformities are closed-out by the auditors by reviewing evidences of corrective action, which the client must submit to the PRNS office within the agreed time, preferably within 30 days. Some minor non-conformities where corrective action may be initiated within 30 days but full closure can be verified only after months of implementation-are verified during subsequent surveillance audit.

Observation is an isolated noncompliance that does not show collapse of MS process. It is not mandatory to submit corrective action plan or corrective action evidence. However, observations should be treated as potential non conformities, which should be closed in order to stop its conversion into actual non conformities.

 

3. Opportunity for Improvement (OFI)

Its not a non-compliance. These are areas where scope of further improvement is available. These are recommendation and value addition by the audit team. Compliance is not mandatory.

No conformities are documented and classified and the client’s representative is asked to Knowledge it. During the closing meeting the client is thanked about their transparency and hospitality. Positive and negative issues are shared and the Client is asked to submit corrective action plans against each individual non conformities recorded in form NCR Report within one week along with the NC Closure .

.

As per audit findings, the audit team leader declares the audit result/ conclusion/ recommendation regarding grant, refusal, hold up, suspension, scope extension, scope reduction, continuation or withdrawal of the certificate.

The client is asked to close minor NC within one month, and major NC within 3 months. Mode of verification of effectiveness of the corrective action is also explained and documented by the audit team leader, which varies depending upon the nature of the non-conformities. Some non-conformities corrective action may be verified by submission of documentary evidence of corrective action.

In case of some major nonconformity and in case of multiple minor non conformities follow up audit is declared to verify corrective action at the audit site.

Certificate of conformity is not issued unless all non-conformities are closed by PRNS auditors.

However, Corrective action verification of some minor non conformities where evidence of initiating corrective action is submitted within one month, but due to nature of non-conformity the actual closure requires many months  (not affecting product conformity and/ or customer satisfaction, not amounting to collapse of  key element of MS)  may be deferred up to next surveillance audit, and in this case the client may be recommended for grant of certification, without verifying closure of such minor NC.

Summary of non-conformities, observations for improvement and decision about recommendation/non recommendation is communicated to the Client organization by the Audit team leader, during the Closing meeting. Audit summary report is also submitted in hard and soft copy to the client within two weeks.

During closing meeting brief narration of audit findings is done. It is explained that the audit was conducted on sampling basis. Type of non-conformities detected and time frame and method of submitting corrective action plan and corrective action evidence for verifying Closure of non-conformities and its time frame is also explained. Information about the method of lodging complaints and appeal and its handling is also explained. Consequences of closure or non-closure of non-conformities and its impact on certification decisions are also explained to the client. Post audit activities of the PRNS like, verification of corrective action plan and corrective actions (where required), preparation of audit report and its subsequent review by the technical committee/ decision makers is also explained. If the client is recommended for certification, the process of surveillance, validity of certificate and recertification process are also explained. The client is informed that a summary of audit report will be submitted to the client along with the documented audit result.

 

Effectiveness of corrections and corrective actions:-

The certification body/ competent auditor reviews the statement of corrections, root cause of non-conformity and corrective actions, submitted by the client to determine if these are acceptable. The certification body verifies the effectiveness of the correction and corrective actions taken. The evidence obtained to support the resolution of nonconformities is recorded. The client is informed about the result of the review and verification.

 

Issue of certificate

The certificate is issued when the certification procedure has been reviewed and released by the head of the certification body or his deputy or nominated representative.

The person who reviews and releases the procedure may not have participated in the audit.

The certificate can only be issued when the nonconformities have been accepted or verified by the audit team.

Normally the certificates are valid for 3 years.

 

Doc. No.: PRNS-P-020
Rev.No.:01
Dt: 10-05-2025