The Ultimate Internal Audit Checklist Every Medical Device Company Needs

It was nothing more than a checklist that saved $175 million and 1,500 lives.

Professional surgeon and public health researcher Atul Gawande reported, in a now-famous article for The New Yorker, that the simple act of requiring doctors to use checklists as they did their rounds helped one hospital system drop its quarterly infection rate to zero. Hospitals across the region saved millions of dollars and thousands of lives, all because of a simple checklist.

The lesson here applies across industries, particularly for the medical device industry. If you want your product and processes to be efficient, effective, and accurate, the checklist is the tool to use.

There are few times when efficiency, effectiveness, and accuracy are more important than during your internal audits. FDA and ISO require medical device companies to conduct internal audits although the quality of these audits can vary widely.

This guide will provide the ultimate internal audit checklist you can begin using today to ensure every system, process, and operation associated with your device is performing at its best.

FREE RESOURCE: Click here to download a printable version of The Ultimate Internal Audit Checklist.

Review FDA and ISO standards

Internal audits are not a “nice to have” procedure. Both FDA and ISO require manufacturers to conduct regular internal audits. Before we continue, let’s review the language each uses.

FDA 21 CFR Part 820.22 states:

Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and re-audits shall be documented.

In other words, manufacturers must conduct quality audits to ensure compliance. Internal auditors have to be objective and initiate corrective actions as necessary. Of course, all this needs to be documented and made available to the necessary stakeholders, too.

ISO 13485:2016 Section 8.2.4 Internal audit states:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements; b) is effectively implemented and maintained.

In other words, ISO, too, requires organizations to conduct internal audits. The goal, similar to FDA, is to determine compliance to ISO requirements and effective implementation of QMS best practices.

The quality management system standard for medical devices goes on to say that the audit program must take “into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits” and requires companies to define and record the “audit criteria, scope, interval and methods.”

Without defining things like criteria, scope, interval, and methods—as ISO 13485:2016 outlines—the internal audit process can quickly go haywire.

We worked with one company that included an annual internal audit in their SOPs but realized on month eleven that they hadn’t followed their own requirement. They had to scramble and hire an external consultant who could only make judgments from afar. The company learned nothing and gained little more than a check mark from the audit.

You can do better.

 

Determine the scope of your internal audits

Determining the scope of your internal audit will give it the best chance of success. With a plan in mind, you can turn internal audits—something most quality managers lose sleep over—into an opportunity for company-wide improvement.

The scope of your internal audit is a combination of your timeline and your checklist. Your timeline determines when you perform internal audits, and the checklist determines what you do during those audits.

The timeline for your internal audits will vary depending on several factors. A medical device QMS (MDQMS) solution like Greenlight Guru with specific audit management workflows can expedite the overall audit prep time and improve audit outcomes. 

greenlight-guru-audit-prep-vs-traditional-systems

Click here to see how Greenlight Guru can shorten your audit prep time from weeks to hours

Your internal audit timeline will also vary based on the markets your device is entering. Different regulations will apply, and different timing will be necessary.

ISO audits, for instance, usually occur before your device enters a market. It’s best to do your internal audits as early as possible so you can heed off ISO audits. FDA inspections occur after a device passes the review process and is ready for market launch. Conduct internal audits as you prepare your device submissions to FDA so you’re ready in the event of an FDA inspection.

The checklist for your internal audits will ensure that your internal audits are comprehensive—not so short that they miss things and not so long that they become burdensome. 

Separate your checklist by section, and make sure that each item complies with its applicable regulation. Verify the standard during the audit, including listing procedures and their associated records.

The goal of an external auditor isn’t to focus individual requirements; it is to determine the overall effectiveness of your QMS. As such, you should ensure that during your internal audit, you don’t lose the forest for the trees. 

Write your internal audit checklist from the perspective of an external auditor. Be stricter than the auditor and you’ll pass easily when the actual external auditor comes.

 

Management

The management section of your internal audit checklist is meant to verify that management reviews are being held in an effort  to support and maintain an effective QMS.

 

Management tasks
References
  • Internal auditors are trained. 

ISO 13485:2016: 6.2, 8.2.4

FDA 21 CFR 820.22

  • Objective parties conduct internal audits. 

ISO 13485:2016: 8.2.4

FDA 21 CFR 820.22

  • The quality manual defines the scope of your QMS and its procedures within your QMS and describes the interaction of processes within your QMS.

ISO 13485:2016: 4.1, 4.2.2

  • Internal auditors are trained. 

ISO 13485:2016: 6.2, 8.2.4

FDA 21 CFR 820.22

  • Objective parties conduct internal audits. 

ISO 13485:2016: 8.2.4

FDA 21 CFR 820.22

  • The quality manual defines the scope of your QMS and its procedures within your QMS and describes the interaction of processes within your QMS. 

ISO 13485:2016: 4.1, 4.2.2

  • Criteria and methods are in place to monitor and control processes for effectiveness. 

ISO 13485:2016: 4.1.3(a), 4.2.1(d), 8.4

  • Internal auditors are trained.

ISO 13485:2016: 6.2, 8.2.4

FDA 21 CFR 820.22

  • Objective parties conduct internal audits. 

ISO 13485:2016: 8.2.4

FDA 21 CFR 820.22

  • The quality manual defines the scope of your QMS and its procedures within your QMS and describes the interaction of processes within your QMS. 

ISO 13485:2016: 4.1, 4.2.2
  • Criteria and methods are in place to monitor and control processes for effectiveness. 

ISO 13485:2016: 4.1.3(a), 4.2.1(d), 8.4
  • Conduct management reviews, at least annually. 

ISO 13485:2016: 5.1(d), 5.6

FDA 21 CFR 820.5, 820.20(c)

  • Management reviews examine the suitability and effectiveness of quality systems, determine what improvements are needed because of customer requirements, and identify resource needs. 

ISO 13485:2016: 4.1.3(c), 5.6.1, 5.6.3, 6.1, 8.4

FDA 21 CFR 820.20(c)

  • Management review addresses audit results, customer feedback, process performance, CAPAs, previous management reviews, QMS changes, recommendations for improvement, and new or revised regulatory requirements.

ISO 13485:2016: 5.6.2
  • A quality manual and quality system procedures and instructions are appropriate and present. 

ISO 13485:2016: 4.1.2(a), 4.2.1(b), (c)

FDA 21 CFR 820.5, 820.20(c), (d), (e), 820.22

  • A Quality Plan is present.

ISO 13485:2016: 4.2.1(d), 5.4

FDA 21 CFR 820.20(d)

  • Quality Planning addresses QMS needs and Quality Objectives. 

ISO 13485:2016: 5.4.2

FDA 21 CFR 820.20(a), (d)

  • Verify firm has implemented Quality Policy and Quality Objectives. 

ISO 13485:2016: 4.2.1(a), 5.1(b), (c), 5.3, 5.4.1

FDA 21 CFR 820.20(a), (d)

  • Verify firm has established Quality Audit procedures and conducts audits.

ISO 13485:2016: 4.2, 8.2.4

FDA 21 CFR 820.20(c), 820.22

  • Quality audits examine compliance and effectiveness. 

ISO 13485:2016: 4.1.3(c), 4.2.1(d), 8.2.4

FDA 21 CFR 820.22

  • Confirm quality audits are linked to CAPA.

ISO 13485:2016: 8.2.4

FDA 21 CFR 820.22, 820.100

  • Resources are available to support processes. 

ISO 13485:2016: 4.1.3(b), 5.1(e), 5.5.1, 5.5.2, 6.1, 6.2

FDA 21 CFR 820.20(b), 820.25

  • A management representative has executive responsibility for implementing a QMS and reporting on its effectiveness. 

ISO 13485:2016: 5.1, 5.5.1, 5.5.2, 6.1, 6.2

FDA 21 CFR 820.20(b)(3), 820.25

  • Appropriate responsibilities, authority, and resources are in place for quality system activities. 

ISO 13485:2016: 5.1(e), 5.5.1, 5.5.2, 6.1, 6.2

FDA 21 CFR 820.5(b)(1)-(2), 820.20(b), 820.25

  • Procedures for identifying training needs are present, and personnel are trained to perform assigned responsibilities. 

ISO 13485:2016: 6.2

FDA 21 CFR 820.25(b)

  • Executive management ensures the implementation of an adequate and effective quality system. Management is committed to and communicates the importance of meeting customer requirements, regulatory requirements, and QMS. 

ISO 13485:2016: 5.1(a), 5.2, 5.5.3


The second check box above asks you to confirm that objective parties conduct your audits. In a big company, that means pulling in someone who can do audits but wasn’t responsible for the components they’re auditing. In smaller companies, that is more difficult to do.

Objectivity can be difficult in a company with only four or five people and perhaps one person in charge of quality. That’s why the management section also covers training. Training can break down silos and encourage the spread of knowledge. 

The end result is that other staff, now objective and capable parties, can help conduct audits. Staff can pursue training from the American Society for Quality or get a Regulatory Affairs Certification (RAC).

 

Design and Development

The design and development section of your internal audit checklist helps you verify that your company controls the design and development processes. The goal is to ensure that your company can produce medical devices that meet user needs as well as align with the intended uses and specified requirements you defined.

External auditors will take a risk-based approach, and because of that, the components in this section will receive extra scrutiny. Auditors will focus on the aspects of these processes that are most likely to affect the safe performance of your medical devices.

As such, this is a section that might warrant special audits. Special audits focus directly on the most sensitive, important parts of your QMS, such as design control, validations, and risk management.

 

Design and Development tasks
References
  • Products are subject to design controls.

ISO 13485:2016: 7.1, 7.3

FDA 21 CFR 820.30(a)

  • Design control and risk management procedures are established and applied.

ISO 13485:2016: 7.3

FDA 21 CFR 820.30(a) - (j)

ISO 13485:2016: 7.3.2

FDA 21 CFR 820.30


External auditors will select a design project to focus on. Auditors can’t review every single record. Auditors use samples to get a granular perspective on one aspect of your company so that they can extrapolate the conclusions for application to other aspects.

Similarly, your internal audit should involve the selection of a design project that you can home in on, using items on the checklist below. To select a good candidate for a design project, find one that contains software, take a single product focus, choose candidates from a risk-based perspective, and prioritize candidates that had problems or generated complaints.

 

Design and Development tasks
References
  • Project design and development plan, responsibilities, and interfaces are present and adequate.

ISO 13485:2016: 7.3.2

FDA 21 CFR 820.30(b)

  • Design and development plan is updated, reviewed, and approved.

ISO 13485:2016: 7.3.2

FDA 21 CFR 820.30(b)

  • Design input requirements are established, reviewed, and approved; customer requirements are captured; inputs include functional, performance, safety, and statutory and regulatory requirements.

ISO 13485:2016: 7.2.1, 7.3.3

FDA 21 CFR 820.30(c)

  • Incomplete, ambiguous, and/or conflicting requirements are addressed.

ISO 13485:2016: 7.3.3

FDA 21 CFR 820.30(c)

  • Design and development outputs are established, verified, reviewed, and approved.

ISO 13485:2016: 7.3.4(a), (c)

FDA 21 CFR 820.30(d)

  • Design and development outputs are appropriate for purchasing, production, and servicing.

ISO 13485:2016: 7.3.4(b)

FDA 21 CFR 820.30(d)

  • Essential design and development outputs are identified.

ISO 13485:2016: 7.3.4(d)

FDA 21 CFR

820.30(d)

  • Acceptance criteria are referenced by design & development outputs and were defined prior to design verification and design validation activities.

ISO 13485:2016: 7.3.4(c), 7.3.6

FDA 21 CFR 820.30(d) & (f)

  • Design verification confirmed that design outputs met design input requirements.

ISO 13485:2016: 7.3.6

FDA 21 CFR

820.30(f)

  • Design validation results prove device met predetermined user needs and intended uses.

ISO 13485:2016: 7.3.7

FDA 21 CFR

820.30(g))

  • Design validation did not leave unresolved discrepancies.

ISO 13485:2016: 7.3.7

FDA 21 CFR

820.30(g)

  • Clinical evaluations or evaluation of device performance was performed (if required by national or regional regulations).

ISO 13485:2016: 7.3.7

FDA 21 CFR

820.30(g)

  • Software was validated (if device contains software).

ISO 13485:2016: 7.3.2, 7.3.7

FDA 21 CFR 820.30(g), 820.75

  • Initial production units (or equivalents) were used for design validation.

ISO 13485:2016: 7.3.7

FDA 21 CFR

820.30(g)

  • Risk management activities were performed.

ISO 13485:2016: 7.1; ISO 14971:2019

FDA 21 CFR 820.30(g)

  • Design changes were controlled and validated (or where appropriate, verified).

ISO 13485:2016: 7.3.2, 7.3.6, 7.3.9

FDA 21 CFR 820.30(i), 820.70(b), 820.75(c)

  • Design changes have been reviewed for effect on components and product previously made.

ISO 13485:2016: 7.3.2, 7.3.6, 7.3.9

FDA 21 CFR 820.30(i), 820.70(b)

  • Design reviews were conducted at appropriate stages of design and development.

ISO 13485:2016: 7.2.2, 7.3.2, 7.3.5

FDA 21 CFR 820.30(e)

  • Design review attendees were appropriate for stage and included independent review.

ISO 13485:2016: 7.3.2, 7.3.5

FDA 21 CFR 820.30(e)

  • Design was correctly transferred to production.

ISO 13485:2016: 7.3.2, 7.3.8

FDA 21 CFR 820.30(h)

ISO 13485:2016: 7.3.10

FDA 21 CFR 820.30(b) - (j)


The design and development section links out to numerous other sections and items. The output of your product design, for instance, will be an input to production. Due to these links, design and development is one of the most likely components to have gaps. As part of your internal audit, perform a gap analysis, and document any gaps found in your audit report.

Keep in mind that you have to check not only the components of each section but also the links between them. No section has more numerous links than design and development.

 

Production and Process Controls

The production and process controls section of your internal audit checklist helps you verify that your company has production and process controls that will produce products that meet specifications. Auditing will include your testing processes, your infrastructure, your facilities, your equipment, and your supplier management processes.

 

 

Production and Process Controls tasks
References
  • Product-realization processes are planned. Risk management occurs throughout product realization. (refer to  and

ISO 13485:2016: 7.1; ISO 14971

FDA 21 CFR 820.70

  • Product-realization planning is consistent with the requirements of other processes of QMS.

refer to ISO 13485:2016: 7.1

FDA 21 CFR 820.30, 820.50, 820.80, 820.181

  • Requirements have been defined for suppliers, contractors, and consultants. Suppliers, contractors, and consultants are selected based on the ability to meet requirements.

ISO 13485:2016: 7.1, 7.4.2

FDA 21 CFR 820.50(a)

  • Maintain records of acceptable suppliers, contractors, and consultants.

ISO 13485:2016: 7.4.1

FDA 21 CFR 820.50(a)(3)

  • Data supporting supplier requirements is maintained. Suppliers, contractors, and consultants agree to notify you of changes in products and/or services.

ISO 13485:2016: 7.4

FDA 21 CFR 820.40, 820.50(a)(3), (b)

  • Procedures for identifying product during all stages of receipt, production, distribution, and installation are in place.

ISO 13485:2016: 7.5.8, 7.5.9

FDA 21 CFR 820.60

  • Maintain procedures and records for traceability of each unit, lot, or batch of finished devices and components.

ISO 13485:2016: 7.5.9

FDA 21 CFR 820.65

 

 

Similar to the design and development section, external auditors will select a specific process to review in greater depth. Internal auditors should do the same.

 

Production and Process Controls tasks
References
  • Sample process is controlled and monitored.

ISO 13485:2016: 7.5, 7.6, 8.2.5, 8.2.6, 8.4

FDA 21 CFR 820.50, 820.70(a), 802.70(e), 820.70(f)- (h), 820.72, 820.75(b), 820.80

  • Equipment used has been adjusted, calibrated, and maintained.

ISO 13485:2016: 7.5

FDA 21 CFR 820.70(g)(3), 820.72(a), 820.70(g)(1)

  • Control and oversight activities can control inspection, measuring, test equipment, and calibration.

ISO 13485:2016: 7.6, 8.4

FDA 21 CFR 820.50(a)(2), 820.72

  • Procedures for production and process changes are present. Changes are verified or validated, as needed.

ISO 13485:2016: 7.3.9, 7.5.6

FDA 21 CFR 820.70(b), 820.75(c)

  • Device history record (DHR) identifies rejects and/or nonconformances.

ISO 13485:2016: 8.3

FDA 21 CFR 820.70

  • Defects, rejects, nonconformances, and removal of materials were handled properly.

ISO 13485:2016: 8.3

FDA 21 CFR 820.50, 820.70(h), 820.90, 820.100

  • Processes that cannot be fully verified are validated.

ISO 13485:2016: 7.5.6

FDA 21 CFR 820.75(a)

  • Automated or software-driven processes are validated for intended uses.

ISO 13485:2016: 7.5.6

FDA 21 CFR 820.70(i)

  • Validations are documented and conducted by qualified personnel.

ISO 13485:2016: 7.5.6

FDA 21 CFR 820.75(b)(1)

  • Personnel records document that personnel are trained per manufacturing processes and are aware of potential defects.

ISO 13485:2016: 6.2

FDA 21 CFR 820.20(b)(2), 820.25, 820.70, 820.70(d), 820.75(b)(1)

  • Monitoring and control methods, data, date performed, individuals performing the process, and the major equipment used is documented.

ISO 13485:2016: 7.1, 8.4

FDA 21 CFR 820.75(b)(2)

  • Linkages to other processes are present.

ISO 13485:2016: 4.1, 4.2

FDA 21 CFR 820.20, 820.25, 820.30, 820.40, 820.72, 820.90, 820.100, 820.180

  • Infrastructure and work environment are appropriate and controlled.

ISO 13485:2016: 6.3, 6.4

FDA 21 CFR 820.70(c), (f), (g)

  • Maintenance schedules, routine inspections, and adjustments to equipment occur.

ISO 13485:2016: 6.3, 7.5.1, 7.5.6, 7.6

FDA 21 CFR 820.70(g)

  • Procedures are in place for contamination control and cleanliness.

ISO 13485:2016: 6.4.2, 7.5.2

FDA 21 CFR 820.70(e)

  • Verification of purchased products is adequate.

ISO 13485:2016: 7.4.3, 8.4

FDA 21 CFR 820.50(a)(2), 820.80(b)

  • Procedures that define receiving, in-process, and final acceptance activities are present.

ISO 13485:2016: 7.5.11, 8.4

FDA 21 CFR 820.80(a) - (d)

  • Receiving, in-process, and final-acceptance activity records exist.

ISO 13485:2016: 8.4

FDA 21 CFR 820.80(e)

  • Acceptance status of product is indicated.

ISO 13485:2016: 7.1, 8.2.6

FDA 21 CFR 820.86

  • Procedures define labeling activities, including integrity, inspection, storage, operations, and control numbers.

ISO 13485:2016: 7.5.11

FDA 21 CFR 820.120

  • Product packaging and shipping containers adequately protect device during processing, storage, handling, shipping, and distribution.

ISO 13485:2016: 7.5.11

FDA 21 CFR 820.130

  • Procedures exist to prevent mix-ups, damage, deterioration, contamination, or other adverse effects to product during handling.

ISO 13485:2016: 7.5.11

FDA 21 CFR 820.140, 820.150

  • Procedures exist for product distribution. Distribution records include name and address of consignee, identification and quantity shipped, date of shipment, and identification numbers.

ISO 13485:2016: 4.2.3, 7.1, 7.5.8, 7.5.9.2, 7.5.11

FDA 21 CFR 820.160

  • Installation and inspection procedures exist (if applicable). Installation records are maintained.

ISO 13485:2016: 7.5.3

FDA21 CFR 820.170

  • Servicing procedures exist (if applicable). Servicing records are maintained.

ISO 13485:2016: 7.5.4

FDA 21 CFR 820.200

  • Procedures that identify, verify, protect, and safeguard customer property under your care are present.
ISO 13485:2016: 7.5.10

 

The production and process controls section is good to do early in the internal audit process. If you audit your warehouse near the beginning of your audit, you can select samples that you’ll use in other sections. 

Auditing production and process controls early also enable you to better audit traceability. You can trace both forward and backward, from production to inputs or from production to outputs.

 

Corrective and Preventive Actions (CAPA)

The corrective and preventive actions (CAPA) section of your internal audit checklist helps you verify that your QMS is self-regulated.

Your company must be collecting and analyzing information so that you can identify and investigate problems and determine whether corrective and preventive actions are necessary and what those actions might look like.

 

CAPA tasks
References
  • CAPA procedures comply with regulatory requirements.

ISO 13485:2016: 4.1, 4.2, 8.5

FDA 21 CFR 820.100(a)

  • Nonconforming product and CAPA procedures determine the need for investigation and notification.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.90(a), 820.100(a)(2)

  • Nonconforming product and CAPA procedures define responsibilities for review and disposition.

ISO 13485:2016: 8.3, 8

FDA 21 CFR 820.90(b)(1)

  • Procedures for rework, retesting, and reevaluation of nonconforming product exist and are followed.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.90(b)(2)

  • Appropriate records of quality problems have been created and used.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.100(a)(1)

  • Trend-analysis data can indicate quality problems. Trend-analysis data is used for CAPA decisions.

ISO 13485:2016: 8.1, 8.2.5, 8.4, 8.5

FDA 21 CFR 820.100(a)(1), 820.250

  • CAPA data is complete, accurate, and timely. Compare results across multiple data sources to identify quality problems.

ISO 13485:2016: 8.4, 8.5

FDA 21 CFR 820.100(a)(1)

  • Appropriate statistical techniques are implemented.

ISO 13485:2016: 8.1, 8.2.5, 8.4

FDA 21 CFR 820.100(a)(1), 820.250

  • Device failure investigations determine the root cause.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.100(a)(2)

  • Failure investigations are commensurate with risks.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.100(a)(2), 820.90(b)

  • Controls exist to prevent nonconforming product from being released.

ISO 13485:2016: 8.3

FDA 21 CFR 820.90(b)

  • Appropriate actions were taken for quality problems.

ISO 13485:2016: 8.2.5, 8.5.2, 8.5.3

FDA 21 CFR 820.100(a)(3), 820.100(a)(5); 820.100(a)(4), 820.100(b)

  • CAPA actions were effective and were verified, validated, documented, and implemented appropriately.

ISO 13485:2016: 8.5

FDA 21 CFR 820.100(a)(4), 820.100(a)(5), 820.100(b)

  • CAPAs and nonconformities were disseminated to personnel responsible for ensuring quality and the prevention of problems.

ISO 13485:2016: 8.3, 8.5

FDA 21 CFR 820.100(a)(6)

  • Quality issues and CAPAs were disseminated for Management Review.

ISO 13485:2016: 5.6.3, 8.3, 8.5

FDA 21 CFR 820.100(a)(6), 820.100(a)(7)

  • Procedures for handling complaints and investigation of advisory notices and recalls are present. Provisions exist to feed results into CAPA system.

ISO 13485:2016: 7.2.3, 8.2.1, 8.2.2, 8.2.3

FDA 21 CFR 820.100, 820.198

 

One of the most common issues we see companies do as they conduct internal audits is to log all issues as needing CAPA. If you found an issue in your audit, that doesn’t necessarily need to lead to CAPA. We’ve written before, in our Ultimate Guide to CAPA for Medical Devices, that CAPA is best for systemic issues. 

You have (or should have) complaint handling procedures in place to deal with complaints and nonconformances; many of the issues your internal audit uncovers will be lesser and will need those procedures instead of CAPA.

Additionally, think of your internal audit as one part of your quality system. If your audit uncovers a nonconformance, you needn’t immediately trigger a CAPA. You can instead trigger a request for more records to help you figure out the extent of the nonconformance. You can then include the severity of the nonconformance in your audit report. If the same nonconformance recurs or worsens, you can then trigger CAPA.

New call-to-action

The CAPA section is another area of your QMS that you can subject to a specialized audit. After your initial internal audit, you can conduct a specialized audit that focuses on whatever was affected by the nonconformance you discovered. You can then verify how effective your CAPA was in correcting and preventing that nonconformance.

 

Purchasing Controls

The purchasing controls section of your internal audit checklist helps you verify that the processes you have in place to check the products, materials, and services that your suppliers offer are effective and compliant. 

The purchasing controls section is important for all medical device companies but is especially important for those that outsource design and development or production.

 

Purchasing Controls tasks
References
  • Supplier evaluation procedures are present and adequate.

ISO 13485:2016: 7.4.1 

FDA 21 CFR 820.50

  • Suppliers are evaluated for their ability to meet specified requirements.

ISO 13485:2016: 7.4.1

FDA 21 CFR 820.50(a)(1)

  • Specifications of materials and/or services provided by supplier are adequate and confirmed.

ISO 13485:2016: 7.4.2

FDA 21 CFR 820.50(b)

  • Purchasing information identifies requirements for approval of product, procedures, processes, and equipment, requirements for personnel qualification, and QMS requirements.

ISO 13485:2016: 7.4.2

FDA 21 CFR 820.50

  • Supplier evaluation records are maintained.

ISO 13485:2016: 7.4.1

FDA 21 CFR 820.50(a)(3))

  • Verification and acceptance of purchased materials and/or services are adequate.

ISO 13485:2016: 7.4.3

FDA 21 CFR 820.50(a)(2), 820.80(a), 820.80(b)

 

The purchasing controls section of your internal audits is the section that can vary the most in terms of timeline. Depending on how many processes you outsource and how important they are, external auditors can spend up to a fifth of their time auditing processes from this section. 

Purchasing controls can be particularly time-consuming because auditors will need to gather information from every outsourced partner, meaning communication is inherently and inevitably delayed.

Make sure your internal audit spends a similar amount of time so your level of scrutiny matches or exceeds that of an external auditor.

 

Documentation and Records

The documentation and records section of your internal audit checklist helps you verify that your company can control documentation and make records available to staff and to auditors.

 

Documentation and Records tasks
References
  • Procedures for identification, storage, protection, retrieval, retention time, control, approval, distribution, disposition, and changes of documents and records are present and adequate.

ISO 13485:2016: 4.2.4, 4.2.5

FDA 21 CFR 820.40, 820.180

  • Documents and changes are approved prior to use.

ISO 13485:2016: 4.2.4

FDA 21 CFR 820.40

  • Documents and records are legible and identifiable.

ISO 13485:2016: 4.2.4(e), 4.2.5

  • Documents of external origin are identified with controlled distribution.

ISO 13485:2016: 4.2.4(f)

 

  • Maintain a quality system record (QSR) that includes or refers to location of procedures.

ISO 13485:2016: 4.2.1(c), (e)

FDA 21 CFR 820.20, 820.40, 820.186

  • Documents and records are retained for required length of time (this includes retention of obsolete controlled documents and records).

ISO 13485:2016: 4.2.1, 4.2.4, 4.2.5

FDA 21 CFR 820.100(b), 820.180(b), 820.181, 820.184, 820.186, 820.198(a), 820.200(d)

  • Change records are reviewed and approved by the same functions that performed original review and approval.

ISO 13485:2016: 4.2.4, 7.3.9

FDA 21 CFR 820.40(b)

  • Change records include a description of change, identification of affected documents, approval signatures, approval date, and effective date.

ISO 13485:2016: 7.3.9

FDA 21 CFR 820.40(b)

  • Documents are available at the point of use, and obsolete documents are not in use.

ISO 13485:2016: 4.2.4(d), (h)

FDA 21 CFR 820.40(a)

  • Maintain DMRs for each type of device.

ISO 13485:2016: 4.2.1

FDA 21 CFR 820.181

  • DMRs contain or make reference to device specifications, production process specifications, quality assurance procedures and specifications (including acceptance criteria), packaging and labeling specifications (including acceptance criteria), and installation, maintenance, and servicing procedures.

ISO 13485:2016: 4.2.1

FDA 21 CFR 820.181(a) - (e)

  • DHRs are maintained, and devices are manufactured according to DMR. Realization processes and product meet requirements.

ISO 13485:2016: 7.1, 8.2.6

FDA 21 CFR 820.184

  • DHRs contain or make reference to dates of manufacture, quantity manufactured, quantity released for distribution, acceptance records demonstrating the device was manufactured per DMR, primary identification label and labeling used for each unit, and device identification and/or control numbers used.

ISO 13485:2016: 8.2.6

FDA 21 CFR 820.184(a) - (f)

  • Maintain records for education, training, skills, and experience of resources.

ISO 13485:2016: 6.2(e)

  • Maintain purchasing and supplier records.

ISO 13485:2016: 7.4.1, 7.4.3

FDA 21 CFR 820.50

  • Sterilization process parameters and records are maintained for each batch. Sterilization validation records are maintained.

ISO 13485:2016: 7.5.5, 7.5.7

 

As you audit documentation and records, document the specific reports and files that you reviewed.

Also, unlike the production and process controls section, which is good to do early, the documentation and records section is good to do later or last. This makes it easier for you to follow up on components that you uncovered as you went through other sections of the audit.

 

Customer-related Processes

The customer-related processes section of your internal audit checklist helps you verify that your company is handling customer-related processes compliantly.

 

Customer-related Processes tasks
References
  • Product requirements ensure that intended use, customer requirements, and regulatory requirements are addressed.

ISO 13485:2016: 7.2.2

FDA 21 CFR 820.30(c), 820.30(d), 820.30(f), 820.30(g)

  • Incoming contracts and orders are reviewed to resolve conflicting information and ensure that customer requirements can be met.

ISO 13485:2016: 7.2.2

 

  • Procedures and systems exist for customer communications and feedback.

ISO 13485:2016: 7.2.3, 8.2.1

FDA 21 CFR 820.100(a)(1), 820.198

  • Customer communications and feedback integrate with CAPA system.

ISO 13485:2016: 7.2.3, 8.2.1

FDA 21 CFR 820.100(a)(1), 820.198

 

Take care to audit this section carefully. When an FDA auditor or ISO registrar shows up, they will almost definitely want to see how you manage complaints. In the past, a struggle to manage complaints has been one of the most common reasons companies receive warning letters.

FREE RESOURCE: Click here to download a printable version of The Ultimate Internal Audit Checklist.

Pass your next audit with ease

The auditors are here. Your back stiffens, your lips purse, your teeth grit. Whether internal or external, it’s time to be on your best behavior, right?

Wrong. If your behavior changes when an auditor shows up, that’s a sign you’re not prepared. Your processes should be so effective that you can trust them when auditors arrive. Your SOPs should be so comprehensive that you run them the same way you do with or without auditors present. You should be ready at any time. After all, unannounced audits can happen at any time.

Internal audits, and an internal audit checklist, are your start. A good process turns what could be a procedural check mark into a valuable activity. To make internal audits even more valuable—and even easier to do—you need the best QMS solution that’s purpose-built to support them.

A modern QMS like Greenlight Guru makes internal audits easy to accomplish and external audits easy to pass. Greenlight Guru comes with an audit workflow that helps internal auditors create schedules, assign due dates, determine section owners, and set reminders.

With Greenlight Guru Visualize, you consolidate all of the documents relevant to an audit—including ones you may have missed on your own—into one view. Internal auditors have visibility into all the links that make up a comprehensive internal audit.


Looking for an all-in-one QMS solution to advance the success of your in-market devices that can integrate your post-market activities with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →

 
FDA