Audit Checklist Example_Medical Devices 022820

Medical Device Audit Checklist Example

ISO 13485:2016 and 21 CFR 820

Additional Notes:

______________________________________________________________________________________________________________________

1

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

Quality Management System

4.1.1

§820.5

Is the quality management system (QMS) documented,

implemented, and maintained?

4.1.2

4.1.3

Are the QMS processes monitored and measured? Are there

adequate resources to support the processes? Are the processes

controlled using a risk-based approach?

4.1.4

Are changes to QMS processes evaluated for impact on the QMS and

devices? Are changes controlled?

4.1.5

Are outsourced processes adequately controlled?

4.1.6

Is software used in the QMS system properly monitored and

controlled, including validations and revalidations based on risk and

in writing?

Documentation requirements

4.2.1

Does the quality management system (QMS) documentation include

quality policy, quality objectives, procedures, and records?

4.2.2

§820.20(e)

Is the Quality Manual properly documented, including procedures or

references to them? Does it include details of and justification for

any exclusion or non-application?

Does it address all relevant requirements of ISO 13485 and 21 CFR

820?

4.2.2

Is the interaction between the processes of the quality system

documented (process map, flowcharts, etc.)?

4.2.2

Is the structure of the quality system documentation outlined in the

manual?

Additional Notes:

______________________________________________________________________________________________________________________

2

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

4.2.3

§820.181

Is there a Medical Device File (ISO) for each medical device type or

medical device family, and/or Device Master Record (FDA) including:

• description of the device, intended use/purpose, packaging,

labeling, instructions for use;

• product specifications;

• production process specifications;

• procedures for measuring and monitoring / quality assurance;

and,

• as appropriate: requirements for installation, maintenance and

service?

Control of Documents

4.2.4

§820.40(a)

Is there a written procedure defining the controls needed to:

● Review and approve documents prior to issue,

● Review, update and re-approve documents,

● Identify changes and current revisions of documents

● Make relevant versions of applicable documents available at

points of use

● Ensure that documents are legible and identifiable,

● Identify and control the distribution of documents of external

origin, and

● Prevent deterioration or loss of documents

● Identify retained obsolete documents and prevent their

unintended use

Is there evidence of implementation of the procedure?

Additional Notes:

______________________________________________________________________________________________________________________

3

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

4.2.4

§820.180

Is the period for retention of obsolete controlled documents

defined? Is the retention period at least equal to the lifetime of the

device?

4.2.4

§820.40(b)

Are document changes reviewed and approved by the same function

that performed the original review and approval (unless specifically

designated otherwise)?

Are change records maintained, including description of the change,

identification of the affected documents, approval signatures and

date, and when the change becomes effective?

Control of Records

4.2.5

Are quality records maintained?

4.2.5

§820.184

Do procedures define the control for identity, storage, security,

retrieval, retention, and disposition of records?

4.2.5

§820.186

Is confidential health information protected?

4.2.5

§820.180

Are retention periods for records defined?

Are records retained for at least the period of time equivalent to the

expected life of the device, and no less than 2 years?

4.2.5

§820.180

Are records organized and maintained to ensure that they remain

legible, readily identifiable and retrievable, and to prevent

deterioration and loss?

Are records accessible to the regulatory inspections?

Are electronic records backed up?

4.2.5

Are records maintained to enable changes to records to remain

identifiable?

Additional Notes:

______________________________________________________________________________________________________________________

4

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

Management Responsibility

5.1

§820.20

Is the top management

● communicating to the organization the importance of meeting

customer and other applicable requirements,

● establishing the quality policy,

● establishing quality objectives,

● conducting management reviews, and

● ensuring availability of resources?

5.2

Is the top management ensuring that customer requirements are

determined and are met?

5.3

§820.20

Is there a documented quality policy; and

● Is it appropriate to the purpose of the organization?

● Does it include a commitment to comply with requirements and

to maintain the effectiveness of the quality management system?

● Does it provide a framework for establishing the quality

objectives?

● Is it communicated and understood throughout the organization?

● Is it periodically reviewed for continuing suitability?

5.4.1

Are quality objectives, including those needed to meet applicable

regulatory/ product requirements, established within the

organization? Are they consistent with the quality policy?

5.4.1

Are the quality objectives measurable?

5.4.2

§820.20

Is quality management system planning carried out to ensure quality

objectives are met and the QMS integrity remains when changes are

Additional Notes:

______________________________________________________________________________________________________________________

5

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

planned and implemented? Has the manufacturer established how

the requirements for quality will be met?

5.5.1

§820.20

Is top management ensuring that responsibilities and authorities are

defined, documented, and communicated within the organization?

5.5.1

§820.20

Is an outline of the interrelation of all personnel who manage,

perform, and verify work affecting quality documented?

5.5.1

Is top management ensuring the independence and authority

necessary to perform tasks and work affecting quality?

5.5.2

§820.20

Is there an appointed member of management (Management

Representative) whose responsibility and authority includes the

following?

● Ensuring processes needed for the QMS are documented

● Reporting to top management on the effectiveness of the QMS

and any need for improvement

● Ensuring the promotion of awareness of applicable regulatory

requirements and quality management system requirements

throughout the organization

5.5.3

Are appropriate communication processes established within the

organization? Does top management ensure that communication

takes place regarding the effectiveness of the QMS?

5.6.1

§820.20

Does the organization have documented procedures for

Management Review? Does top management review the

organization’s quality management system at documented planned

intervals to ensure continuing suitability, adequacy, and

effectiveness? Are records of reviews maintained?

Additional Notes:

______________________________________________________________________________________________________________________

6

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

5.6.2

Does input to management reviews cover the appropriate topics,

including the following?

• Customer feedback

• Complaint Handling

• Reports to regulatory authorities

• Audits

• Monitoring/ measurement of processes

• Monitoring/ measurement of products

• Corrective Actions

• Preventive Actions

• Follow-up actions from previous Management Reviews

• Changes affecting the QMS

• Assessment of opportunities for improvement and need for

changes to the QMS

• Applicable new or revised regulatory requirements

5.6.3

Is output from management review recorded, including recording

the input reviewed and any decisions and actions related to

improvements to QMS or product, any resource needs, and changes

needed to respond to new or revised regulatory requirements?

Resource Management

6.1

§820.25

Has the organization determined and provided sufficient resources

to implement and maintain the QMS and meet regulatory and

customer requirements?

6.2

§820.25

Are personnel performing work affecting product quality competent

on the basis of appropriate education, training, skills, and

experience? Are records of competence maintained?

Additional Notes:

______________________________________________________________________________________________________________________

7

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

6.2

Is there a documented process for establishing competence,

providing needed training, and ensuring awareness of personnel?

6.2

§820.25

Does the organization provide training or take other action to

achieve or maintain the necessary competence?

6.2

Is the effectiveness of the training or other actions evaluated? Is the

evaluation method proportionate to the risk associated with the

functions?

6.2

§820.25

Are personnel aware of the effects of their activities and how they

contribute to the quality objectives?

6.3

§820.70

Are there adequate buildings, workspace, and utilities present to

achieve compliance to product requirements?

6.3

§820.70

Does the organization have documented requirements for the

maintenance activities, including the interval of performance of

maintenance activities that can affect product quality?

6.3

§820.70

Are records of maintenance maintained?

6.4.1

§820.70

Does the organization have documented requirements for the work

environment needed to achieve conformity to product

requirements? Does the organization have procedures to monitor

and control the work environment?

6.4.1

§820.70

Are requirements documented for health, cleanliness, and clothing

of personnel where contact could affect medical device safety or

performance?

Additional Notes:

______________________________________________________________________________________________________________________

8

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

6.4.1

§820.70

Are temporary personnel adequately trained or supervised within

special environmental conditions within the work environment?

6.4.2

§820.70

Does the organization plan and document arrangements for the

control of contaminated or potentially contaminated products in

order to prevent further contamination of the work environment,

personnel, or product?

6.4.2

For sterile medical devices, are requirements for control of

contamination and micro-organisms documented? Does the

organization maintain the required cleanliness during assembly or

packaging processes?

Product Realization

7.1

Is there a procedure for product realization?

7.1

Is there a process for risk management? Are records of risk

management documented?

7.1

§820.80

Is there evidence of the following?

• Objectives/ requirements for the product?

• Process documents and resources available?

• Requirements for validation, verification, monitoring,

measurement, inspection, handling, storage, distribution and

product acceptance?

• Documentation that the product and design control processes

meet the requirements?

7.2.1

Are delivery and post-delivery requirements defined?

7.2.1

Are requirements necessary for specified intended use defined?

(Both specified and not specified by the customer)

Additional Notes:

______________________________________________________________________________________________________________________

9

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.2.1

Are regulatory requirements defined and met?

7.2.1

Is necessary user training for the safe use of the device identified?

7.2.2

Are product requirements defined and documented?

7.2.2

Are contract and order requirements resolved?

7.2.2

Is the organization able to meet the defined requirements?

7.2.2

Are relevant documents amended when product requirements

change?

7.2.2

Are records of product requirement reviews retained?

7.2.3

Are there documented arrangements for communications with the

customer for product information, customer feedback (complaints),

advisory notices, and contracts/ amendments to contracts?

7.3.1

§820.30

Are there documented Design and Development Procedures?

7.3.2

§820.30

Are the following subjects documented?

• Design/ development stages

• Reviews needed for each stage

• Verification, validation, and design transfer activities

• Methods to ensure traceability of design outputs to design inputs

• Resources needed, including competent personnel

7.3.3

§820.30

Are the following covered by design inputs?

• Regulatory requirements and standards

• Functional performance, usability, and safety requirements per

intended use

• Output risk management

Additional Notes:

______________________________________________________________________________________________________________________

10

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

• Information derived from similar designs

• Other requirements needed for the development of the product

• Are the inputs reviewed, approved, and documented

7.3.4

§820.30

Are design outputs verifiable against the design inputs?

7.3.4

§820.30

Do design outputs provide appropriate and adequate information

for purchasing, production, and servicing?

7.3.4

§820.30

Do design outputs reference product acceptance criteria?

7.3.4

§820.30

Are the essential characteristics for safe and proper use specified in

the design outputs?

7.3.4

§820.30

Are design outputs approved prior to release?

7.3.5

§820.30

Are systematic reviews of the design performed at the appropriate

stages?

7.3.5

§820.30

Do design reviews evaluate whether the design results meet the

requirements? Do they include identification and proposal of

necessary actions?

7.3.6

§820.30

Is design verification performed for each documented process to

verify that the design outputs meet the design inputs?

7.3.6

§820.30

Does design verification specify the method, acceptance criteria,

statistical techniques, and rationale for sample size?

7.3.6

§820.30

If a device is required to interface with another device, does the

verification confirm that design outputs meet design inputs when

the devices are interfaced?

Additional Notes:

______________________________________________________________________________________________________________________

11

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.3.6

§820.30

Are records of results and conclusions of design verification

maintained?

7.3.7

§820.30

Is design validation performed for each documented process to

verify that the design can meet the requirements for the intended

use?

7.3.7

§820.30

Does design validation specify the method, acceptance criteria,

statistical techniques, and rationale for sample size?

7.3.7

Is design validation conducted on representative product?

7.3.7

Does design validation include clinical evaluation?

7.3.7

§820.30

If a device is required to interface with another device, does the

validation confirm that design requirements have been met when

the devices are interfaced?

7.3.7

§820.30

Are records of results and conclusions of design validations

maintained?

7.3.8

§820.30

Are design transfer processes documented? Do the processes ensure

design outputs are verified to be suitable for manufacturing?

7.3.8

Does production capability meet product requirements?

7.3.9

§820.30

Are changes to design and development reviewed, verified,

validated (when needed), and approved? Are changes evaluated for

the impact to the component or device?

7.3.10

§820.30

Is there a design and development file or Design History File (DHF)

for each device or device family?

7.3.10

§820.30

Does the design and development file contain references to records

that demonstrate conformance to the device requirements and

design changes?

Additional Notes:

______________________________________________________________________________________________________________________

12

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.4.1

§820.50

Is there a procedure defining the purchasing process and ensuring

that purchased product conforms to the purchasing information?

7.4.1

§820.50

Are there criteria for selection and approval of suppliers,

proportional to the risk related to the device? Are criteria based on

the following?

• Suppliers’ ability to provide product that meets the

component/service requirements

• Supplier’s performance

• Effect of the product of the quality of the device

7.4.1

§820.50

Are suppliers monitored and reevaluated? Does reevaluation

consider supplier performance?

7.4.1

Are supplier nonconformances addressed in proportion to the risk

associated with the purchased product and compliance to regulatory

requirements?

7.4.1

§820.50

Are results of supplier selection, evaluation, re-evaluation,

performance, and actions arising from these activities documented?

7.4.2

As appropriate, is the following purchasing information provided?

• Product specifications

• Product acceptance, processes, and equipment requirements

• Qualifications of supplier personnel

• QMS requirements

• Purchase order review and approval

• Change notification on file

• Records of purchased materials maintained

7.4.3

Are verification processes established to confirm purchased product

meet requirements?

Additional Notes:

______________________________________________________________________________________________________________________

13

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.4.3

Are changes to the purchased product evaluated for impact on the

finished medical device?

7.4.3

If source inspection is performed, are verification activities and

product release requirements defined on the purchase order?

7.5.1

Are there procedures in place for the control of production?

7.5.1

Is the infrastructure qualified?

7.5.1

Are process parameters monitored and measured? Is equipment

available for monitoring and measurement?

7.5.1

Are defined operations for labeling and packaging implemented?

7.5.1

Are release, delivery, and post-delivery instructions implemented?

7.5.1

§820.65

Are traceability requirements recorded on the manufacturing

records?

7.5.2

Is cleanliness or contamination abatement of the product defined?

7.5.3

§820.170

Where installation is applicable, are acceptance criteria and

verification of installation documented? Are records maintained?

7.5.4

§820.200

Are servicing procedures documented?

7.5.4

§820.200

Are service records analyzed to determine if they are to be handled

as a complaint? Are service records used as an input for the

improvement process?

7.5.4

§820.200

Are servicing records maintained?

7.5.5

For sterile medical devices: Are sterilization process parameters for

each lot/batch of devices maintained?

Additional Notes:

______________________________________________________________________________________________________________________

14

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.5.5

For sterile medical devices: Are sterilization records traceable to

each lot/batch?

7.5.6

§820.140

Where outputs are not verified or measurable, are they validated?

Does the validated process include the following?

• Criteria for review/approval of the process

• Equipment and personnel qualification

• Methods, procedures, and acceptance criteria

7.5.7

Is there a procedure outlining the requirements for sterilization

validation and sterile barriers?

7.5.7

Has sterilization been validated prior to implementation? Have any

process changes been validated, as appropriate?

7.5.8

§820.60

Is there a procedure defining identification of the product?

7.5.8

§820.60

Is product status maintained throughout the manufacturing, storage,

installation, and servicing process?

7.5.9

§820.65

Is there a procedure defining traceability?

7.5.9

§820.65

Are records of traceability maintained?

7.5.9

§820.65

For implantable devices:

• Are requirements that could affect performance or safety of the

device defined (materials, components, environmental

conditions, etc.)?

• Do distributors keep records of distribution?

• Are consignee names and addresses maintained?

Additional Notes:

______________________________________________________________________________________________________________________

15

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.5.10

Is customer property for use in the manufacture of the device

identified and protected while in the manufacturer’s possession?

7.5.10

Are records of damage, loss, and unsuitability conveyed to the

customer? Are the records maintained?

7.5.11

§820.140

§820.150

§820.160

Is there a procedure providing for the preservation of conformity of

the product during all phases of manufacturing, handling, storage

and distribution?

7.5.11

§820.130

Are the packaging/ shipping procedures suitably designed to protect

the product and prevent contamination?

7.5.11

Where special conditions are required, are they controlled and

documented?

7.6

Are there procedures ensuring that monitoring and measurement

can be carried out consistent with the requirements?

7.6

Is equipment calibrated at specified intervals using recognized

national/international standards? Are any adjustments

documented?

7.6

§820.72

Is equipment identified to determine its calibration status?

7.6

§820.72

Is equipment safeguarded from adjustments that would invalidate

measurement results? Is it protected from damage during handling,

storage, and maintenance?

7.6

§820.72

Are calibration and verification records maintained?

Additional Notes:

______________________________________________________________________________________________________________________

16

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

7.6

Does the organization review the validity of prior measurements if

the equipment is found to be out of tolerance? Is appropriate action

taken?

7.6

§820.70

Is software used in measuring equipment validated in accordance

with risk? Is there a software validation procedure?

Measurement, Analysis, Improvement

8.1

Does the organization implement monitoring, measurement,

analysis, and improvement to confirm the following?

• Conformity of the product

• Conformity to the QMS

• Effectiveness of the QMS

Are statistical techniques used defined?

8.2.1

Is the process for manufacturing and postproduction feedback

documented? Does the process cover regulatory requirements?

8.2.1

Does postproduction feedback feed into risk management and the

product improvement process?

8.2.2

§820.198

Is there a complaint handling procedure that contains covers the

following?

• Receipt and recording of information

• Determination of complaint status

• Investigation of complaints

• Determining regulatory reporting requirements

• Handling complaint product

• Determining the need for correction and corrective actions

8.2.2

Are complaint records maintained?

Additional Notes:

______________________________________________________________________________________________________________________

17

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

§820.198

8.2.3

§820.198

Are there procedures in place to direct documenting reporting of

complaints to regulatory authorities when needed (i.e. advisory

notices, adverse events)?

8.2.3

§820.198

Are reports to regulatory authorities maintained?

8.2.4

Are internal audits performed at planned intervals?

8.2.4

§820.22

Does the internal audit process ensure conformance to

documentation and to regulatory requirements?

8.2.4

§820.22

Do internal audits include the following?

• Evaluation of the effectiveness of the implementation and

maintenance of the Quality System

• Review of prior audit results

• Defined audit scopes, methods, and intervals

8.2.4

§820.22

Are auditors qualified and objective?

8.2.4

§820.22

Does management ensure that corrective actions are implemented

and effective?

8.2.5

Are measurements and methods appropriate to ensure the

processes can achieve planned results? Have corrective actions been

implemented when required?

8.2.6

Are monitoring and measurement activities carried out at applicable

stages during product realization?

8.2.6

§820.86

Is evidence of conformity to the acceptance criteria maintained?

Additional Notes:

______________________________________________________________________________________________________________________

18

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

8.2.6

§820.80

Is the test equipment used to perform acceptance identified on the

measurement?

8.2.6

§820.80

Is the person performing inspections/ tests recorded?

8.3.1

§820.90

Is there a procedure documenting controls, roles, and

responsibilities to identify, segregate, evaluate, and disposition

nonconforming product?

Does the process determine the need for an investigation and

notification to external sources responsible for the nonconformity?

8.3.1

§820.90

Is nonconforming product identified and segregated?

8.3.1

§820.90

Are records regarding nonconformances and subsequent actions

maintained?

8.3.2

§820.90

When a nonconformance is detected before delivery, are one or

more of the following actions prescribed/taken?

• Eliminate nonconformity

• Preclude its original intended use

• Authorize use/ acceptance under concession

8.3.3

§820.90

When nonconformities are detected post-delivery:

• Does the organization base actions on the effects or potential

effects of the nonconformity? Are the actions maintained?

• Is there a procedure for submitting advisory notices? Are records

of advisory notices maintained?

8.3.4

§820.90

Is there a procedure for rework? Does it have the same level of

approval as the original procedure?

Additional Notes:

______________________________________________________________________________________________________________________

19

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

8.3.4

§820.90

Has the rework been verified to conform to the acceptance criteria

and regulatory requirements?

8.3.4

§820.90

Are records of rework maintained?

8.4

Is there a procedure that defines the collection and analysis of data

to determine the adequacy and effectiveness of the QMS (methods,

statistical techniques, and extent of use)? Does data include

• Feedback?

• Conformity to product requirements?

• Trends and opportunities for improvement?

• Supplier data?

• Audit data?

• Service reports (if required)?

8.4

Are records for data analysis maintained?

8.5.1

Does the organization use audit results, quality objectives, market

surveillance, corrective and preventive actions, and analysis of data

to improve the QMS and device safety and performance?

8.5.2

§820.100

Is there a corrective action procedure to address issues including

complaints and nonconforming product?

8.5.2

§820.100

Does the corrective action process include the following?

• Determination of the root cause of the issue

• Evaluating need for action to ensure non-recurrence

• Documenting completed corrective action e.g. document change

• Assessment of corrections on impact of the ability of the device

to meet requirements

• Effectiveness checks

Additional Notes:

______________________________________________________________________________________________________________________

20

Standard

Reference

Requirement

Complies?

(Y/N/NA)

Notes and Evidence

• Maintaining records

8.5.3

§820.90

§820.100

Is there a procedure for identifying potential nonconformities and

their causes?

8.5.3

§820.100

Does the preventive action process include the following?

• Evaluating the need for corrective action

• Documenting actions taken and the ability to meet the device

safety and device performance requirements

• Verification that actions taken do not adversely affect the device

performance, safety, or conformance with regulatory

requirements

• Verification of the effectiveness of actions taken

8.5.3

§820.100

Are records of preventive actions maintained?

Please note: The above Checklist is provided as an example only. Please reference the applicable standard / regulation for additional details.