QMS Aud it C heckl ist

Bringing a medical device to market is hard. greenlight.guru’s beautifully simple QMS and design control software makes it easier. Click here to schedule your free personal demo today.
FDA-ISO QMS Audit Checklist developed by greenlight.guru
Audit #:
Dates:
Lead Auditor: PP = Positive Practice
A = Acceptable
Objecti ve NC, OFI, PP,
Item Subsystem / Assessment Detail FDA / ISO reference Auditor Notes Auditor Observation Evidence or A?
Management Controls (main subsystem)

review quality manual;

ensure Quality Manual defines scope of QMS, procedures review QMS metrics;
(or reference to) within QMS , and description of the ISO 13485:2003: 4.1, 4.2.2 review critical processes and
1 interaction of processes within QMS ISO 13485:2016: 4.1, 4.2.2 procedures
verify criteria and methods are in place to monitor and ISO 13485:2003: 4.1(c), 4.2.1( d) , 8.4 review QMS metrics;
2 control processes for effectiv eness ISO 13485:2016: 4.1.3(a), 4.2.1(d), 8.4 review management reviews
ISO 13485:2003: 5.1(d), 5.6
Verify firm has established and conducts Management ISO 13485:2016: 5.1(d), 5.6; request procedure in advance;
3 Reviews, at least annually 21 CFR 820.5, 820.20(c) review management reviews

confirm manag ement reviews examine suitability and ISO 13485:2003: 4.1(f ), 5.6.1, 5.6.3, 6.1, 8.4
effectiveness of quality systems, improvements needed ISO 13485:2016: 4.1.3(c), 5.6.1, 5.6.3, 6.1, 8.4;
4 because of customer requirements, and resource needs 21 CFR 820.20(c) review procedure

ensure management review addresses audit results,

customer feedback, process performance, CAPAs,
prev ious management reviews, changes to QMS ,
recommendations f or improvement, and new or revised ISO 13485:2003: 5.6.2
5 regulatory requirements ISO 13485:2016: 5.6.2 review management reviews

ISO 13485:2003: 4.1(a), 4.2.1(b), ( c) request quality manual and

verify firm has established a Quality Manual and Quality ISO 13485:2016: 4.1.2(a), 4.2.1(b), (c); procedures in advance;
6 System Procedures and Instructions that are appropriate 21 CFR 820.5, 820.20(c), ( d) , (e), 820.22 review documents
ISO 13485:2003: 4.2.1(d), 5.4
ISO 13485:2016: 4.2.1(d), 5.4;
7 Verify firm has established Quality Plan 21 CFR 820.20(d) request quality plan in advance
ISO 13485:2003: 5.4.2
confirm that Quality Planning addresses QM S needs and ISO 13485:2016: 5.4.2;
8 Quality Objectives 21 CFR 820.20(a) , (d) review quality plan

ISO 13485:2003: 4.2.1(a), 5.1(b), ( c), 5.3, 5.4.1 interview employees about quality
verify firm has implemented Quality Policy and Quality ISO 13485:2016: 4.2.1(a), 5.1(b), ( c), 5.3, 5.4.1 policy;
9 Objectives 21 CFR 820.20(a) , (d) review training records

request procedure in advance;

ISO 13485:2003: 4.2, 8.2.2 review audit schedule and
Verify firm has established Quality Audit proc edures and ISO 13485:2016: 4.2, 8.2.4; documents;
10 conducts audits 21 CFR 820.20(c), 820.22 review auditor training
ISO 13485:2003: 4.1(f ), 4.2.1(d), 8.2.2
ISO 13485:2016: 4.1.3(c), 4.2.1(d), 8.2.4; review procedure;
11 ensure quality audits examine compliance and effectiveness 21 CFR 820.22 review audit records
ISO 13485:2003: 6.2.2, 8.2.2
ISO 13485:2016: 6.2, 8.2.4; review audit records;
12 verify that auditors are trained 21 CFR 820.22 review training records

ISO 13485:2003: 8.2.2

ISO 13485:2016: 8.2.4; review audit records;
13 ensure that audits are conducted by objective parties 21 CFR 820.22 review training records

ISO 13485:2003: 8.2.2

ISO 13485:2016: 8.2.4;
14 confirm quality audits are linked to CAPA 21 CFR 820.22, 820.100 review procedures
IS O 13485:2003: 4.1(d), 5.1(e), 5.5.1, 5.5.2, 6.1, 6.2
IS O 13485:2016: 4.1.3(b), 5.1(e) , 5.5.1, 5.5.2, 6.1,
Review org anizational structure of firm; confirm resources 6.2; request organizational chart(s) in
15 are available to support processes 21 CF R 820.20(b), 820.25 advance

ask management representative to

identify responsibility for:
-changes to procedures, device
designs, manufacturing processes
verify firm has defined a management representative with ISO 13485:2003: 5.1, 5.5.1, 5.5.2, 6.1, 6.2 -rev iew of quality audit results
executi ve responsibility for implementing and reporting ISO 13485:2016: 5.1, 5.5.1, 5.5.2, 6.1, 6.2; -oversight and interaction with
16 quality management system 21 CFR 820.20(b)(3), 820.25 CAPA activiti es
ISO 13485:2003: 5.1(e), 5.5.1, 5.5.2, 6.1, 6.2 interview management
verify appropriate responsibilities , authority, and ISO 13485:2016: 5.1(e), 5.5.1, 5.5.2, 6.1, 6.2; representative about resource
17 resourc es are in place for quality system activities 21 CFR 820.5(b)(1)-( 2), 820.20(b), 820.25 allocation

verify firm has established procedures for identify ing

training needs; ISO 13485:2003: 6.2
ensure personnel are trained to perform assigned ISO 13485:2016: 6.2; review procedures;
18 responsibilities 21 CFR 820.25(b) review training records

AT AUDIT CONCLUSION . . .
Determine if executive management ensures adequate interview executive management;
and effectiv e quality system is implemented. Ensure provide confirmation or failures of
management is committed to and communicates quality sy stem;
importance of meeti ng customer requirements, ISO 13485:2003: 5.1(a), 5.2, 5.5.3 review other subsystems and
19 regulatory requirements, and QMS. ISO 13485:2016: 5.1(a), 5.2, 5.5.3 return to management controls
Design & Development / Design Controls (main subsystem)

ISO 13485:2003: 7.1, 7.3

ISO 13485:2016: 7.1, 7.3; review procedure;
1 verify products are subject to design controls 21 CFR 820.30(a) review products
ISO 13485:2003: 7.3
verify design control and risk management proc edures are ISO 13485:2016: 7.3; ensure procedures address all
2 established and applied 21 CFR 820.30(a) - (j) design control elements

ensure desig n and development stages are identified;

confirm that rev iew, verification, validation, and design ISO 13485:2003: 7.3.1
transfer activities at each stage are appropriate; verify ISO 13485:2016: 7.3.2;
3 responsibilities for design and development are defined 21 CFR 820.30 review procedures

selection criteria:
-contains softw are
-single produc t focus
-risk based
-result of complaints, problems
-most recent
-cover produc t range
4 select a design project -recent 510(k), PM A, CE mark

review procedure;
assess plan's
-milestones
-phases
ISO 13485:2003: 7.3.1 -responsibilities
review the project design & development plan, ISO 13485:2016: 7.3.2; -risk management
5 responsibilities, and interfaces 21 CFR 820.30(b) -interfaces

ISO 13485:2003: 7.3.1

verify design & development plan is updated, reviewed, ISO 13485:2016: 7.3.2; review plan revisions;
6 and approv ed 21 CFR 820.30(b) review and approval procedures

review procedure;
ensure requirements address
-intended use
-functional, performance, and
confirm design input requirements were established, safety requirements
reviewed, and approved; ensure customer requirements -applicable statutory and regulatory
are captured; ensure inputs include functional, ISO 13485:2003: 7.2.1, 7.3.2 requirements
performance, safety, and statutory and regulatory ISO 13485:2016: 7.2.1, 7.3.3; -user and patient needs
7 requirements 21 CFR 820.30(c) -other essential requirements

ISO 13485:2003: 7.3.2

incomplete, ambiguous, and/or conflicting requirements ISO 13485:2016: 7.3.3; review procedure;
8 were addressed 21 CFR 820.30(c) review resolutions

review procedure;
ISO 13485:2003: 7.3.3(a), (c) review drawings, specifications,
confirm design & dev elopment outputs are established, ISO 13485:2016: 7.3.4(a), (c) ; labeling, packaging, work
9 verifiable, rev iewed, and approved 21 CFR 820.30(d) instructions, IFUs
ISO 13485:2003: 7.3.3(b)
ensure desig n & development outputs are appropriate for ISO 13485:2016: 7.3.4(b);
10 purchasing , production, and servicing 21 CFR 820.30(d) review procedure;

review procedure;
ISO 13485:2003: 7.3.3(d) review drawings, specifications,
ISO 13485:2016: 7.3.4(d); labeling, packaging, work
11 verify essential design & development outputs are identified 21 CFR 820.30(d) instructions, IFUs

review procedure;
review drawings, specifications,
confirm acceptance criteria is referenced by design & ISO 13485:2003: 7.3.3(c), 7.3.5 labeling, packaging, work
development outputs and was defined prior to design ISO 13485:2016: 7.3.4(c), 7.3.6; instructions, IFUs;
12 verification and desig n validation activities 21 CFR 820.30(d) & (f ) review verification activities
ISO 13485:2003: 7.3.5
determine if desig n verification confirmed design outputs ISO 13485:2016: 7.3.6; review procedure;
13 met design input requirements 21 CFR 820.30(f) review verification activities

ISO 13485:2003: 7.3.6

confirm design validation results prove dev ice met ISO 13485:2016: 7.3.7; review procedure;
14 predetermined user needs and intended uses 21 CFR 820.30(g) review validation activities

ISO 13485:2003: 7.3.6

confirm design validation did not leave unresolved ISO 13485:2016: 7.3.7; assess design and specification
15 discrepancies 21 CFR 820.30(g) changes

if required by national or regional regulations, confirm ISO 13485:2003: 7.3.6

clinical evaluations and/or evaluation of device ISO 13485:2016: 7.3.7; review procedure;
16 performance were performed 21 CFR 820.30(g) review evaluation data
ISO 13485:2003: 7.3.1, 7.3.6 ensure software component have
ISO 13485:2016: 7.3.2, 7.3.7; satisfied design, validation, and
17 if device contains software, confirm software was validated 21 CFR 820.30(g) , 820.75 change control requirements

ISO 13485:2003: 7.3.6 review procedure;

determine if initial production units (or equivalents) were ISO 13485:2016: 7.3.7; evaluate prototype / production
18 used for design validation 21 CFR 820.30(g) records

ISO 13485:2003: 7.1 review procedure;

ISO 13485:2016: 7.1; review risk management file;
ISO 14971:2000; ensure risk analysis, ev aluation, and
19 confirm risk management activities were performed 21 CFR 820.30(g) control steps are addressed

ISO 13485:2003: 7.3.1, 7.3.5, 7.3.7 review procedure;

confirm design changes were controlled and validated ( or ISO 13485:2016: 7.3.2, 7.3.6, 7.3.9; review design changes and
20 where appropriate, verified) 21 CFR 820.30(i), 820.70(b), 820.75(c) documentation decisions
ISO 13485:2003: 7.3.1, 7.3.5, 7.3.7
confirm design changes have been reviewed for effect on ISO 13485:2016: 7.3.2, 7.3.6, 7.3.9; review design changes and
21 components and product previously made 21 CFR 820.30(i), 820.70(b) documentation decisions

ISO 13485:2003: 7.2.2, 7.3.1, 7.3.4 review procedure;

determine if desig n reviews were conducted at ISO 13485:2016: 7.2.2, 7.3.2, 7.3.5; review design review
22 appropriate stages of design & dev elopment 21 CFR 820.30(e) documentation

ISO 13485:2003: 7.3.1, 7.3.4

confirm design review attendees were appropriate f or ISO 13485:2016: 7.3.2, 7.3.5;
23 stage and included independent reviewer 21 CFR 820.30(e) review design review documentation

ISO 13485:2003: 7.3.1

ISO 13485:2016: 7.3.2, 7.3.8; review procedure;
24 determine if design was correctly transferred to production 21 CFR 820.30(h) review DMR
ISO 13485:2016: 7.3.10
25 ensure DHF contains design control documentation 21 CFR 820.30(b) - ( j) review DHF
Corrective & Preventive Actions (CAPA) (main subsystem)

ISO 13485:2003: 4.1, 4.2, 8.5

ISO 13485:2016: 4.1, 4.2, 8.5;
1 verify CAPA procedures comply with regulatory requirements 21 CFR 820.100( a) review procedures

ISO 13485:2003: 8.3, 8.5

verify non-conforming product and CAPA procedures ISO 13485:2016: 8.3, 8.5;
2 determine the need for investigation and notification 21 CFR 820.90(a) , 820.100(a)( 2) review procedures

ISO 13485:2003: 8.3, 8.5

verify non-conforming product and CAPA procedures ISO 13485:2016: 8.3, 8.5;
3 define responsibilities for review and disposition 21 CFR 820.90(b)(1) review procedures

review procedures;
ensure that procedures for rework, retesting, and re- ISO 13485:2003: 8.3, 8.5 review DHRs (of nonconforming
evaluation of nonconforming product exist and are ISO 13485:2016: 8.3, 8.5; products)
4 followed 21 CFR 820.90(b)(2)

review records of acceptance

ISO 13485:2003: 8.3, 8.5 activities, production test failures,
verify that appropriate records of quality problems have ISO 13485:2016: 8.3, 8.5; returned products, service records,
5 been created and used 21 CFR 820.100( a)(1) complaints

review procedures;
ISO 13485:2003: 8.1, 8.2.3, 8.4, 8.5 review records of incoming
determine if trend analysis data indicates quality ISO 13485:2016: 8.1, 8.2.5, 8.4, 8.5; products, components, testing, S PC
6 problems; determine if data used for CAPA decisions 21 CFR 820.100( a)(1), 820.250 data

review data sources;

verify CAPA data is complete, acc urate, and timely; ISO 13485:2003: 8.4, 8.5 use data tables to determine
compare results across multiple data sources to identify ISO 13485:2016: 8.4, 8.5; sampling plan;
7 quality problems 21 CFR 820.100( a)(1) compare results

ISO 13485:2003: 8.1, 8.2.3, 8.4

ISO 13485:2016: 8.1, 8.2.5, 8.4; review procedures;
8 verify appropriate statistical techniques are implemented 21 CFR 820.100( a)(1), 820.250 review techniques used

ISO 13485:2003: 8.3, 8.5

ISO 13485:2016: 8.3, 8.5; review procedures;
9 verify device failure investigations determine root cause 21 CFR 820.100( a)(2) review investigations

ISO 13485:2003: 8.3, 8.5

ISO 13485:2016: 8.3, 8.5; review procedures;
10 verify failure investigations are commensurate with risks 21 CFR 820.100( a)(2), 820.90(b) review investigations
ISO 13485:2003: 8.3
verify controls exist to prevent non-conforming product ISO 13485:2016: 8.3; review investigations;
11 from being released 21 CFR 820.90(b) review non-conformance records

ISO 13485:2003: 8.2.3, 8.5.2, 8.5.3

ISO 13485:2016: 8.2.5, 8.5.2, 8.5.3;
21 CFR 820.100( a)(3), 820.100( a)(5); 820.100( a)(4), review procedure;
12 verify appropriate actions were taken for quality problems 820.100(b) review CAPA records

ISO 13485:2003: 8.5

determine CAPA actions were effective, verified, v alidated, ISO 13485:2016: 8.5; review procedure;
13 documented, and implemented appropriately 21 CFR 820.100( a)(4), 820.100( a)(5), 820.100(b) review CAPA records

verify CAPAs and nonconformities were disseminated to ISO 13485:2003: 8.3, 8.5
personnel responsible for ensuring quality and prevention ISO 13485:2016: 8.3, 8.5; review CAPA and non-conformance
14 of problems 21 CFR 820.100( a)(6) records
ISO 13485:2003: 5.6.3, 8.3, 8.5
verify quality issues and CAPAs were disseminated for ISO 13485:2016: 5.6.3, 8.3, 8.5; review procedure;
15 Manag ement Review 21 CFR 820.100( a)(6), 820.100( a)(7) review CAPA records

verify firm has procedures for handling complaints and ISO 13485:2003: 7.2.3, 8.2.1
investig ation of advisory notic es / recalls; ensure ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.2.3;
16 provisions ex ist to feed in CAPA system 21 CFR 820.100, 820.198 review procedures
Medical Device Reporting (MDR)
ISO 13485:2003: 8.5.1
ISO 13485:2016: 8.5.1;
1 Verify MDR procedures comply with regulatory requirements 21 CFR 803.17 review procedures

ISO 13485:2003: 8.5.1

verify firm maintains MDR event files that comply with ISO 13485:2016: 8.5.1;
2 regulatory requirements 21 CFR 803.18 review MDR files

ISO 13485:2003: 8.5.1

confirm appropriate MDR information is identified, ISO 13485:2016: 8.5.1;
3 reviewed, reported, documented, and filed 21 CFR 803, 820.198(d) review MDR files

review procedures;
ISO 13485:2003: 8.5.1 review M DR files;
ISO 13485:2016: 8.5.1; review complaints & returned
4 ensure firm is effective in identifying MDR reportable events 21 CFR 803 products
ISO 13485:2003: 7.2.3, 8.2.1, 8.5.1
ensure firm has established procedures for receiv ing, ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.5.1;
5 reviewing, and evaluating complaints 21 CFR 820.198( a) - (c) review procedures

ISO 13485:2003: 7.2.3, 8.2.1, 8.5.1

verify firm maintains complaint files and that they are ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.5.1;
6 reasonably accessible 21 CFR 820.198( a), (f), (g) review complaint records

ISO 13485:2003: 7.2.3, 8.2.1, 8.5.1

confirm that complaints are evaluated to determine if an ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.2.3, 8.5.1;
7 event should be a MDR 21 CFR 803, 820.198(a) (3) review procedures

ensure complaint inv estigations include the device name,

date of complaint, device identification number, contact
informati on of complainant, details of complaint, date and ISO 13485:2003: 7.2.3, 8.2.1, 8.5.1
results of investigation, any corrective actions, and replies ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.5.1;
8 to complainant 21 CFR 820.198( e) review complaint records
Reports of Corrections & Removals (C&R)

1 verify C&R procedures comply with regulatory requirements 21 CFR 806 review procedures
determine if removal was initiated
2 examine records of corrections and/or removals of product 21 CFR 806 by firm
3 verify reporting requirements are implemented 21 CFR 806 review procedures
4 identify C&R actions not identified or initiated by firm 21 CFR 806 identify events not identified
confirm ex istence file of non-reportable corrections and
5 removals 21 CFR 806.20 review non-reportable C&R files
Medical Device Tracking
identif y all manufactured or imported devices that require
1 tracking 21 CFR 821.20 review product listings
verify tracking procedures comply with regulatory review procedures;
2 requirements 21 CFR 821.25(c) review records
verify firm performs internal audits of track ing system per
3 timeframes specified in regulations 21 CFR 821.25(c)(3) review procedures
Production & Process Controls (main subsystem) (P&PC)

p age 1 o f 3
QMS Aud it C heckl ist

ISO 13485:2003: 7.1

verify product realization processes are planned; confirm ISO 13485:2016: 7.1;
that risk management occurs throughout product ISO 14971:2000
1 realization 21 CFR 820.70 review procedures

ISO 13485:2003: 7.1 review procedures;

verify planning of product realization is consistent with ISO 13485:2016: 7.1; review product realization
2 requirements of other processes of QMS 21 CFR 820.30, 820.50, 820.80, 820.181 documents

verify requirements have been defined f or suppliers,

contractors, and consultants; ensure suppliers, ISO 13485:2003: 7.1, 7.4.2;
contractors, and consultants are selected on ability to ISO 13485:2016: 7.1, 7.4.2 review procedures;
3 meet requirements 21 CFR 820.50(a) review supplier records

ISO 13485:2003: 7.4.1

ensure firm maintains records of acceptable suppliers, ISO 13485:2016: 7.4.1;
4 contractors, and consultants 21 CFR 820.50(a) (3) review supplier records

verify that data supporting supplier requirements is

maintained; verify that suppliers, contractors, and ISO 13485:2003: 7.4
consultants ag ree to notify firm of changes in products ISO 13485:2016: 7.4;
5 and/or services 21 CFR 820.40, 820.50( a)(3), ( b) review records

verify procedures for identifying product during all stages ISO 13485:2003: 7.5.3
of receipt, production, distribution, and installation are in ISO 13485:2016: 7.5.8, 7.5.9;
6 place 21 CFR 820.60 review procedures

ensure firm maintains procedures and records for

traceability of each unit, lot, or batch of finished devices ISO 13485:2003: 7.5.3.2 review procedures;
and components ISO 13485:2016: 7.5.9; review DHRs
7 NOTE: may not be required for all devices 21 CFR 820.65

selection criteria:
-CAPA indicators of process issues
-process for higher risk device
-degree of risk for process to cause
dev ice failures
-lac k of familiarity and experience
with process
-process used for multiple devices
-variety in process technologies
-processes not covered during
8 select a process to review previous inspec tions

review specific procedures,

ISO 13485:2003: 7.5, 7.6, 8.2.3, 8.2.4, 8.4 instructions, draw ings, etc.;
ISO 13485:2016: 7.5, 7.6, 8.2.5, 8.2.6, 8.4; may inc lude in- process and/or
21 CFR 820.50, 820.70( a), 802.70(e) , 820.70(f) -(h), finished dev ice acceptance
9 verify process is controlled and monitored 820.72, 820.75(b), 820.80 activities

ISO 13485:2003: 7.5

verify the equipment used has been adjusted, calibrated, ISO 13485:2016: 7.5; review equipment records;
10 and maintained 21 CFR 820.70(g) (3), 820.72(a), 820.70(g)(1) review procedures

review production, equipment,

maintenance, & calibration records
related to:
-in-process acceptance criteria &
acceptance
-finished dev ice acceptance criteria
identif y control and oversight activities; ISO 13485:2003: 7.6, 8.4 & acceptance
ensure control of inspection, measuring , test equipment, ISO 13485:2016: 7.6, 8.4; -environmental control systems
11 and calibrati on 21 CFR 820.50(a) (2) , 820.72 -contamination control systems
verify firm has established procedures for production and ISO 13485:2003: 7.3.7, 7.5.2
process changes; ensure c hanges are verified or validated, ISO 13485:2016: 7.3.9, 7.5.6;
12 as needed 21 CFR 820.70(b), 820.75( c) review procedures

ISO 13485:2003: 8.3

review device history record (DHR) to identify rejects ISO 13485:2016: 8.3;
13 and/or non-conformances 21 CFR 820.70 review DHRs

review material records;

review DHRs;
determine if
-properly handled
-result of equipment calibration
failures
ISO 13485:2003: 8.3 -result of equipment maintenance
verify that defects, rejects, non-conformances, and ISO 13485:2016: 8.3; failures
14 removal of materials were handled properly 21 CFR 820.50, 820.70( h), 820.90, 820.100 -result of validation f ailures

review procedures;
identify processes that cannot be
verified;
review validation records to ensure:
-all operators hav e documented
qualification
-full change control of all processes
-calibration and maintenance of all
instruments
-equipment is properly installed,
adjusted, & maintained
-predetermined product
specifications are established
-test sampling and plans are
performed according to statistically
ISO 13485:2003: 7.5.2 valid rationale
ISO 13485:2016: 7.5.6; -process tolerance limits are
15 ensure processes that cannot be fully verified are validated 21 CFR 820.75(a) challenged

ISO 13485:2003: 7.5.2.1

ensure automated or software driven processes are ISO 13485:2016: 7.5.6;
16 validated for intended uses 21 CFR 820.70(i) review validation records
verify that validations are documented and conducted by ISO 13485:2016: 7.5.6; review procedures;
17 qualified personnel 21 CFR 820.75(b)(1) review validation records

ISO 13485:2003: 6.2.2

review personnel records to document personnel are ISO 13485:2016: 6.2;
trained per manufacturing processes and aw are of 21 CFR 820.20(b)(2), 820.25, 820.70, 820.70( d) ,
18 potential defects 820.75(b)(1) review personnel records

ensure that monitoring and control methods, data, date ISO 13485:2003: 7.1, 8.4
performed, indiv iduals performing the process, and the ISO 13485:2016: 7.1, 8.4;
19 major equipment used is doc umented 21 CFR 820.75(b)(2) review validation records

ISO 13485:2003: 4.1, 4.2

ISO 13485:2016: 4.1, 4.2;
21 CFR 820.20, 820.25, 820.30, 820.40, 820.72, review procedures;
20 determine linkages to other processes 820.90, 820.100, 820.180 review key processes
ISO 13485:2003: 6.3, 6.4
ensure the infrastruc ture and work env ironment are ISO 13485:2016: 6.3, 6.4; review procedures;
21 appropriate and controlled 21 CFR 820.70(c), (f), (g) review records

ISO 13485:2003: 7.6

confirm that maintenance schedules, routine inspections, ISO 13485:2016: 6.3, 7.5.1, 7.5.6, 7.6; review procedures;
22 and adjustments to equipment occur 21 CFR 820.70(g) review records

ISO 13485:2003: 7.5.1.2.1

verify procedures are in place for contamination control ISO 13485:2016: 6.4.2, 7.5.2;
23 and cleanliness 21 CFR 820.70(e) review procedures

ISO 13485:2003: 7.4.3, 8.4

ISO 13485:2016: 7.4.3, 8.4; review procedures;
24 determine if verification of purchased products is adequate 21 CFR 820.50(a) (2) , 820.80(b) review records
ISO 13485:2003: 7.5.5, 8.4
ensure procedures define receiv ing, in- process, and final ISO 13485:2016: 7.5.11, 8.4;
25 acceptance activities. 21 CFR 820.80(a) - (d) review procedures

ISO 13485:2003: 8.4

confirm receiv ing, in-proc ess, and final acceptanc e activity ISO 13485:2016: 8.4;
26 records exist 21 CFR 820.80(e) review records

ISO 13485:2003: 7.1, 8.2.4 review acceptance criteria;

verify that procedures exist and that acceptance status of ISO 13485:2016: 7.1, 8.2.6; review procedures;
27 product is indicated 21 CFR 820.86 review product identification

ensure procedures define labeling activities, including ISO 13485:2003: 7.5.5

integrity, inspection, storag e, operations, and control ISO 13485:2016: 7.5.11;
28 numbers 21 CFR 820.120 review procedures
confirm that product packaging and shipping containers ISO 13485:2003: 7.5.5 review procedures;
adequately protect device during processing, storage, ISO 13485:2016: 7.5.11; review packaging and shipping
29 handling, shipping, and distributi on 21 CFR 820.130 containers
verify procedures exist to prevent mix- ups, damage, ISO 13485:2003: 7.5.5
deterioration, contamination, or other adverse effects to ISO 13485:2016: 7.5.11;
30 product during handling 21 CFR 820.140, 820.150 review procedures

verify procedures exist for product distribution; confirm

distribution records include name and address of
consignee, identification and quantity shipped, date of ISO 13485:2016: 4.2.3, 7.1, 7.5.8, 7.5.9.2, 7.5.11; review procedures;
31 shipment, and identification numbers 21 CFR 820.160 review distribution records

ISO 13485:2003: 7.5.1.2.2

ensure installation and inspection proc edures exist (if ISO 13485:2016: 7.5.3; review procedures;
32 applicable); verify installation records are maintained 21 CFR 820.170 review installation records
ISO 13485:2003: 7.5.1.2.3
ensure serv icing procedures exist (if applicable); verif y ISO 13485:2016: 7.5.4; review procedures;
33 servicing records are maintained 21 CFR 820.200 review serv icing records
verify firm identifies, verifies, protects, and safeguards ISO 13485:2003: 7.5.4 review procedures;
34 customer property under its care ISO 13485:2016: 7.5.10 identify customer property
Sterilization Process Controls

review procedures;
review validation records to ensure
processes are effective in:
-obtaining S AL
ISO 13485:2003: 7.5.2.2 -product performance not
review sterilization process procedures; verify sterilization ISO 13485:2016: 7.5.7; adversely affected
1 process is validated 21 CFR 820.75(a) , (c) -packaging not adversely affected

ISO 13485:2003: 7.5.1.3

ISO 13485:2016: 7.5.5;
review sterilization control and monitoring activities; 21 CFR 820.50, 820.70( a), (c),(e) , (f) , (g), (h), 820.72,
2 ensure processes, equipment, and calibration are current 820.75(b), 820.80 review sterilization records
review DHR for sterilization failures; ensure integration
4 with CAPA system 21 CFR 820.75(b) review sterilization records
review sterilization records;
review equipment adjustment,
5 ensure sterilization failures were handled properly 21 CFR 820.70(g)(3), 820.72(a), 820.70(g)(1) calibration, and maintenance

review personnel records to document personnel are

qualified and trained with implemented sterilization
6 activities 21 CFR 820.25, 820.70(d), 820.75(b) review personnel records
ensure automated or software driven sterilization
7 processes are controlled and validated 21 CFR 820.70(i) review validation records
Purchasing Controls (main subsystem for virtual manufacturers)

ISO 13485:2003: 7.4.1

ISO 13485:2016: 7.4.1;
1 review supplier evaluation procedures 21 CFR 820.50 review procedures

ISO 13485:2003: 7.4.1

ensure suppliers are evaluated for ability to meet ISO 13485:2016: 7.4.1;
2 specified requirements 21 CFR 820.50(a) (1) review procedures

ISO 13485:2003: 7.4.2

ensure adequacy of specifications of materials and/or ISO 13485:2016: 7.4.2;
3 services provided by supplier is confirmed 21 CFR 820.50(b) review procedures

confirm purchasing information identifies requirements

for approval of product, procedures, processes, and ISO 13485:2003: 7.4.2
equipment, requirements for personnel qualification, and ISO 13485:2016: 7.4.2; review purchasing records;
4 QMS requirements 21 CFR 820.50 review procedures

ISO 13485:2003: 7.4.1

ISO 13485:2016: 7.4.1; review procedures;
5 verify supplier evaluation records are maintained 21 CFR 820.50(a) (3) review supplier evaluation records
ISO 13485:2003: 7.4.3
determine that verification and acceptance of purchased ISO 13485:2016: 7.4.3; review procedures;
6 materials and/or services is adequate 21 CFR 820.50(a) (2) , 820.80(a), 820.80(b) review acceptance records
Documentation & Records

review procedures f or identification, storage, protection, ISO 13485:2003: 4.2.3, 4.2.4

retrieval, retention time, control, approval, distribution, ISO 13485:2016: 4.2.4, 4.2.5;
1 disposition, and changes of documents and records 21 CFR 820.40, 820.180 review procedures

review procedures;
ISO 13485:2003: 4.2.3 review documents and records;
ISO 13485:2016: 4.2.4; review change management
2 ensure documents and changes are approved prior to use 21 CFR 820.40 records
ISO 13485:2003: 4.2.3(e), 4.2.4
3 verify documents and records are legible and identifiable ISO 13485:2016: 4.2.4(e), 4.2.5 review documents and records
ensure documents of external origin are identified with ISO 13485:2003: 4.2.3(f)
4 controlled distribution ISO 13485:2016: 4.2.4(f) review external documents and records

ISO 13485:2003: 4.2.1(e), (f) ;

verify firm maintains a quality system record ( QSR) w hich ISO 13485:2016: 4.2.1(c), ( e)
5 includes or refers to location of procedures 21 CFR 820.20, 820.40, 820.186 review procedures

ISO 13485:2003: 4.2.1, 4.2.3, 4.2.4;

confirm that documents and records are retained for ISO 13485:2016: 4.2.1, 4.2.4, 4.2.5
required leng th of time (this includes retention of 21 CFR 820.100( b) , 820.180(b), 820.181, 820.184, review procedures;
6 obsolete controlled doc uments and records) 820.186, 820.198(a), 820.200(d) review documents and records

ensure chang e records are reviewed and approv ed by the ISO 13485:2003: 4.2.3, 7.3.7
same functions that performed original review and ISO 13485:2016: 4.2.4, 7.3.9; review procedures;
7 approval 21 CFR 820.40(b) review change records
verify change records include a description of change, ISO 13485:2003: 7.3.7
identification of affected documents, approval signatures, ISO 13485:2016: 7.3.9; review procedures;
8 approval date, and effective date 21 CFR 820.40(b) review change records

review procedures;
ISO 13485:2003: 4.2.3(d), (g) review document distribution;
ensure documents are available at point of use and ISO 13485:2016: 4.2.4(d), (h); review change management
9 obsolete document are not in use 21 CFR 820.40(a) records
ISO 13485:2003: 4.2.1
ISO 13485:2016: 4.2.1;
10 verify that firm maintains DMRs for each type of device 21 CFR 820.181 review DMRs

ensure that DMRs contain or make reference to device

specifications, production process spec ifications, quality
assurance procedures and specifications (including
acceptance criteria), packag ing and labeling specifications ISO 13485:2003: 4.2.1
(including ac ceptance criteria) , and installation, ISO 13485:2016: 4.2.1;
11 maintenance, and servicing procedures 21 CFR 820.181( a) - (e) review DMRs

verify that DHRs are maintained and devices are ISO 13485:2003: 7.1, 8.2.4
manufactured according to DMR; ensure realization ISO 13485:2016: 7.1, 8.2.6;
12 processes and product meet requirements 21 CFR 820.184 review DHRs

confirm that DHRs contain or make reference to dates of

manufacture, quantity manufactured, quantity released
for distribution, acc eptance records demonstrating the
device was manufactured per DMR, primary identification ISO 13485:2003: 8.2.4
label and labeling used for each unit, and device ISO 13485:2016: 8.2.6;
13 identification and/or control numbers used. 21 CFR 820.184( a) - (f) review DHRs
ensure firm maintains records for education, training, ISO 13485:2003: 6.2.2(e)
14 skills, and experience of resources ISO 13485:2016: 6.2 (e) review training records

ISO 13485:2003: 7.4.1, 7.4.3

ISO 13485:2016: 7.4.1, 7.4.3; review purchasing and supplier
15 verify firm maintains purchasing and supplier records 21 CFR 820.50 records
ensure sterilization process parameters and records are
maintained for each batch; ensure sterilization v alidation ISO 13485:2003: 7.5.1.3, 7.5.2.2
16 records are maintained ISO 13485:2016: 7.5.5, 7.5.7 review sterilization records
Customer Requirements

review product requirements to ensure that intended use, ISO 13485:2003: 7.2.2 review procedures;
customer requirements, and regulatory requirements are ISO 13485:2016: 7.2.2; review product requirements
1 addressed 21 CFR 820.30(c), 820.30(d), 820.30( f), 820.30( g) documents
confirm incoming contracts and orders are reviewed to
resolve conflicting information and that customer ISO 13485:2003: 7.2.2 review procedures;
2 requirements can be met ISO 13485:2016: 7.2.2 review incoming inspecti on records

verify that procedures and systems ex ist for customer ISO 13485:2003: 7.2.3, 8.2.1
communications and feedback ; ensure integration with ISO 13485:2016: 7.2.3, 8.2.1;
3 CAPA system 21 CFR 820.100( a)(1), 820.198 review procedures
Technical Files (main subsystem)

ISO 13485:2003: 4.2.1(d)

ISO 13485:2016: 4.2.1(d);
1 review technical file procedures 21 CFR 820.180, 820.181, 820.184, 820.186 review procedures

ISO 13485:2003: 4.2.1(d)

review documents need to ensure planning, operation, ISO 13485:2016: 4.2.1(d);
2 and control of technical file processes 21 CFR 820.180, 820.181, 820.184, 820.186 review technical file records

selection criteria:
-single produc t focus
- risk based
-result of complaints
-recent project
3 select documentation to review -covers product range

ISO 13485:2003: 7.1, 7.2, 7.3.3

verify documentation addresses a general description of ISO 13485:2016: 7.1, 7.2, 7.3.4;
product, intended use(s), and any variants, accessories, or 21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
4 other devices used in combinati on with product 820.50, 820.75 review technical file records

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
ensure desig n specifications, standards applied, and 21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
5 results of risk analysis are present 820.50, 820.75 review technical file records

p age 2 o f 3
QMS Aud it C heckl ist

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
6 confirm that principal requirements have been fulfilled 820.50, 820.75 review technical file records

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
review techniques used to verify design and validate 21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
7 product(s) clinical data 820.50, 820.75 review technical file records

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
ensure documentation defines sterilization method and 21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
8 validation 820.50, 820.75 review technical file records

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
ensure documentation includes instruction manual(s) and 21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
9 labeling 820.50, 820.75 review technical file records

ISO 13485:2003: 7.1, 7.2, 7.3.3

ISO 13485:2016: 7.1, 7.2, 7.3.4;
21 CFR 820.30(d), 820.30( g), 820.30(f), 820.181,
10 verify major subcontractors have been documented 820.50, 820.75 review technical file records

p age 3 o f 3