Audit Checklist 9001 13485 21 CFR 820

Internal Audit Checklist
Revision Level: A Page 1 of 66
Audit Date: Audit Description: Lead Auditor: Audit Team Members (if applicable): This Audit Checklist is based on the following Standards / Directives/Regulations: 21 CFR 820 (EN) ISO 13485:2003 (Medical Devices: Quality Management Systems Requirements for regulatory purpose); In Vitro Diagnostic Medical Device Directive (IVDD) 98/79/EC
Auditor Name (print): Pages may be used independently.
Initials:
Date: Revision pages not required when using this form.

Please circle the sections evaluated during this audit.

4.1 Quality Management System General 5.2 Customer Focus 5.5.3 Internal Communication 6.2.2 Competence, Awareness, and Training 7.2.3 Customer Communication 7.3.6 Design and Development Validation 7.5.1.2.1 Cleanliness of Product and Contamination Control 7.5.5 Preservation of Product 8.2.4 Monitoring and Measurement of Product
4.2.1 Documentation Requirements General 5.3 Quality Policy 5.6.1 Management Review General 6.3 Infrastructure 7.3.1 Design and Development Planning 7.3.7 Control of Design and Development Changes 7.5.2.1 Validation of processes for Production and Service Provision-General 7.6 Control of Monitoring and Measuring Devices 8.3 Control of Nonconforming Product
4.22 Quality Manual 5.4.1 Quality Objectives 5.6.2 Review Input
4.2.3 Control of Documents 5.4.2 Quality Management System Planning 5.6.3 Review Output 7.1 Planning of Product Realization 7.3.3 Design and Development Outputs 7.4.2 Purchasing Information
4.2.4 Control of Records 5.5.1 Responsibility and Authority 6.1 Resource Management Provision of Resources 7.2.1 Determination of Requirements 7.3.4 Design and Development Review 7.4.3 Verification of Purchased Product 7.5.3.3 Status Identification
5.1 Management Commitment 5.5.2 Management Representative 6.2.1 Human Resources General 7.2.2 Review of Requirements Related to the Product 7.3.5 Design and Development Verification 7.5.1.1 Control of Production and Service Provision-General 7.5.4 Customer Property 8.2.3 Monitoring and Measurement of Processes 8.5.3 Preventive Action
6.4 Work Environment 7.3.2 Design and Development Inputs 7.4.1 Purchasing Process
7.5.3.1 Identification 8.1 Measurement, Analysis and Improvement-General 8.4 Analysis of Data
7.5.3.2 Traceability 8.2 Monitoring and Measurement Customer Feedback 8.5.1 ImprovementGeneral
8.2.2 Internal Audit
8.5.2 Corrective Action
Initials:

ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 4 Quality Management System 4.1 General Requirements 820.25 Quality System
4.1q1 Has Organization established, documented, implemented and maintained a QMS and maintained (and continually improved) its effectiveness in accordance with ISO 9001/13485 and 21 CFR 820? (Questions in section 4.1 are verified throughout the audit) Where has Organization identified the processes needed for the QMS and their application throughout the organization? (See 4.2.2) Where has Organization determined the sequence and interaction of QMS processes? (See 4.2.2) What are the criteria and methods Organization uses to ensure that the operation and control of QMS processes are effective?
Finding? Level?
(C = Critical NC, M = Major NC, R = Minor NC)
Evidence (including referenced docs)
4.1q2
4.1q3
4.1q4
Initials:

Revision Level: A Finding? Level?
Page 4 of 66
Q#
4.1q5
ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Has Organization provided resources and information needed to support the operation and monitoring of QMS processes? (See section 6) How does Organization monitor, measure and analyze QMS processes? (See section 8) How has Organization implemented actions necessary to achieve planned results and maintain the effectiveness (continual improvement) of processes needed for the QMS? Are processes needed for the QMS managed by the organization in accordance with the requirements of ISO 9001:2000? When Organization outsources any process that affects product conformity with requirements, how is control ensured over such processes? (See 7.4)
4.1q6
4.1q7
4.1q8
4.1q9
Initials:

Page 5 of 66
Q#
4.1q10

Where is the control of outsourced processes that affect product conformity with requirements identified within the QMS? (See 7.4)
NOTE Processes needed for the quality management system referred to above should include processes for management activities, provision of resources, product realization and measurement.
4.2 Documentation Requirements 4.2.1 General

4.2.1q1 Does Organization have documented statements of a quality policy and quality objectives? (See 5.3, 5.4.1) Does Organization have a quality manual? Does Organization have the documented procedures required by ISO 9001:2000/ 13485:2003 and 21 CFR 820? Are adequate documents in place to ensure the effective planning, operation and control of Organizations processes? Does documentation include the records required by the appropriate regulations? Are there any documents required by regulations?
4.2.1q2 4.2.1q3
4.2.1q4
4.2.1q5 4.2.1q6
Initials:

Page 6 of 66
Q#
4.2.1q7

Can you show me a file for each type or model of medical device containing or identifying documents with product specifications and QMS requirements? (Review documents to verify they define the complete manufacturing process, installation and servicing) Do these DMRs (and/or Technical files) define the complete manufacturing and, if applicable, installation and servicing process of the related device? How does the manufacturer ensure, which medical devices will be sold (e. g. list of products): - into the EU union - US market Are procedures and responsibilities defined and documented to establish and maintain these DMRs (and/or Technical files)? Does the procedure describe the content and structure of the DMRs (Technical files)
4.2.1q8
4.2.1q9
4.2.1q10
Initials:

Page 7 of 66
Q#
4.2.1q11

Is it documented which documents of the Design History File must be part of the Device Master Record (DMR)? Is the file pointing out where the information is located, in case it is not fully included in one DMR (Technical file)? Has a European Representative been appointed by the manufacturer and is the address available (country, town, ZIP code, Street, e-mail)? Are the responsibility and procedures between the manufacturer and the European Representative and Marketing Authorization Holder clearly defined and documented (e.g. in contracts, procedures)?, especially for the following:
-
4.2.1q12
4.2.1q13
4.2.1q14
recall / vigilance system incident reporting market complaints traceability of sold devices training spare parts technical documentation
Initials:

Page 8 of 66
Q#
NOTE 1 Where the term documented procedure appears within this International Standard, this means that the procedure is established, documented, implemented and maintained. NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to a) the size of organization and type of activities, b) the complexity of processes and their interactions, and c) the competence of personnel. NOTE 3 The documentation can be in any form or type of medium.
4.2.2 Quality Manual 820.180 General Requirements

4.2.2q1 Where in the quality manual is the scope of the QMS identified, including details of and justification for exclusions and/or requirements that dont apply? Where does the quality manual contain or reference the documented procedures established for the QMS? Where does the quality manual include a description of the interaction between the processes of the QMS? 4.2.2q2 4.2.2q3 Where does the quality manual outline the documentation structure of the QMS? Does the quality system documentation also refer to applicable regulatory Directives/Laws/Standards (incl. CMDR, GMP under PAL, FDA)
Initials:

Page 9 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 4.2.3 Control of Documents 820.40 Document Controls
4.2.3q1 How are the documents required by the QMS controlled? (Documents to be reviewed throughout the audit) 4.2.3q2 Can you show me a procedure that defines the controls needed for each of the following? - review and approve documents for adequacy prior to issue? - review and update as necessary and reapprove documents? - ensure that changes and the current revision status of documents are identified? - ensure that approved changes are communicated to personnel in a timely manner? - ensure that relevant versions of applicable documents are available at points of use? - ensure that documents remain legible and readily identifiable? - ensure that documents of external origin are identified and their distribution controlled?
Initials:

Page 10 of 66
Q#

- prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.
4.2.4 Control of Records 820.180 General Requirements

4.2.4q1 What records exist that provide evidence of conformity to requirements and of the effective operation of the QMS? (Should be reviewed throughout the audit) Are records legible, readily identifiable and retrievable? (Should be reviewed throughout the audit) Does Organization have a procedure defining the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records? Is the retention period of quality records defined for a period of time at least equivalent to the lifetime of the medical device, but not less than 2 years, from the date of dispatch from the supplier?
4.2.4q2
4.2.4q3
4.2.4q4
Initials:

Page 11 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 4.2.4 Control of Records 820.181 Device Master Record (DMR)
4.2.4q5 Does the company maintain device master records including or referencing the following information: - device specifications such as drawings, composition, formulation, component specifications, software specifications, - production process specifications including or referencing the following: equipment specifications, production methods and procedures and production environmental specifications - quality assurance procedures and specifications including acceptance criteria and quality assurance equipment to be used - packaging and labeling specifications including methods and process used - installation, maintenance and servicing procedures and methods
Initials:

Page 12 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 4.2.4 Control of Records 820.184 Device History Record (DHR)
4.2.4q6 Does the company maintain device history records for each batch, lot unit in accordance with the DMR? The DHR should include: - dates of manufacture - quantity manufactured - quantity released to distribution - acceptance records - primary identification label - labeling used for each production unit - device identification and control number used
4.2.4 Control of Records 820.186 Quality system record

4.2.4q7 Does the company maintain a quality system record including or referencing a location of procedures and documentation of activities required that are not specific to a particular type of device, including records required by the Management Responsibility section? What approval process is used for the QSR?
4.2.4q8
Initials:

Page 13 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5 Management Responsibility 5.1 Management commitment 820.20 Management responsibility
5.1q1 How does top management communicate the importance of meeting customer and legal requirements to the organization? Has a company quality policy been established? (See 5.3) What are the quality objectives established by top management? (See 5.4.1) Does top management conduct management reviews? (See 5.6) How does top management ensure the availability of resources to support and continually improve the QMS?
5.1q2 5.1q3 5.1q4 5.1q5
5.2 Customer Focus

5.2q1 How does top management ensure that customer requirements are determined and met?
Initials:

Page 14 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.3 Quality Policy 820.20 Management responsibility
5.3q1 How does top management ensure that the quality policy is appropriate to the purpose of the organization? Does the quality policy include a commitment to comply with requirements and to maintain (continually improve) QMS effectiveness? Are the contents of the quality policy relevant to Organization, and measurable? Is the quality policy communicated and understood within the organization? Is there an established process to review the quality policy for continuing suitability?
5.3q2
5.3q3
5.3q4 5.3q5
5.4 Planning
Initials:

Page 15 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.4.1 Quality Objectives 820.20 Management Responsibility
5.4.1q1 Has top management established quality objectives (including those needed to meet requirements for product) at relevant functions and levels within the organization? Are the quality objectives consistent with the quality policy? What are the measurements?
5.4.1q2
5.4.2 Quality management system planning 820.20 Management responsibility

5.4.2q1 How do you ensure that the planning of the QMS is carried out in order to meet the requirements given in ISO 9001:2000 / ISO 13485:2003 section 4.1 and 820.20(e), as well as the quality objectives? How do you ensure that the integrity of the QMS is maintained when changes to the QMS are planned and implemented? How do you document the planning?
5.4.2q2
5.4.2q3
5.5 Responsibility, authority and communication

Auditor Name (print): Pages may be used independently. Initials: Date: Revision pages not required when using this form.

Page 16 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.5.1 Responsibility and authority 820.20 Management responsibility
5.5.1q1 How are responsibilities and authorities defined, documented and communicated within the organization? (Verify throughout audit) Are procedures and responsibilities defined and documented to notify the representative for medical devicerelated safety issues to the respective competent authority
5.5.1q2
Initials:

Page 17 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.5.2 Management representative 820.20 Management responsibility
5.5.2q1 Has your Management Representative been defined? Does the management representative have responsibility and authority to: - ensure that processes needed for the QMS are established, implemented and maintained? - report to top management on the performance of the QMS and any need for improvement? - ensure the promotion of awareness of regulatory and customer requirements throughout the organization?
NOTE The responsibility of a management representative can include liaison with external parties on matters relating to the quality management system.
5.5.3 Internal Communication 820.20 Management responsibility

5.5.3q1 How is information regarding the effectiveness of the QMS communicated within the organization?
5.6 Management Review


Page 18 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.6.1 General 820.20 Management Responsibility
5.6.1q1 What is the frequency that top management reviews the organization's QMS? What kinds of information are reviewed in management reviews? (must include suitability, adequacy and effectiveness of QMS; improvement; & changes to the QMS, quality policy and objectives) Can you show me records from recent management reviews?
5.6.1q2
5.6.1q3
Initials:

Page 19 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.6.2 Review input 820.20 Management responsibility
5.6.2q1 Can you show me that each of the following were included in review(s)? - results of audits, - customer feedback, - process performance and product conformity, - status of preventive and corrective actions, - follow-up actions from previous management reviews, - changes that could affect the quality management system, - recommendations for improvement, and - new or revised regulatory requirements.
Initials:

Page 20 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 5.6.3 Review Output 820.20 Management responsibility
5.6.3q1 What decisions or actions have resulted from management reviews for each of the following? - improvement needed to maintain the effectiveness of the quality management system and its processes, - improvement of product related to customer requirements, and - resource needs
6 Resource management 6.1 Provision of resources 820.20 Management responsibility

6.1q1 What resources has Organization provided to implement and maintain the QMS and continually improve its effectiveness? What resources has Organization provided to ensure that customer and regulatory requirements are met? (See 6.2, 6.3, 6.4)
6.2 Human Resources
Initials:

Page 21 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 6.2.1 General 820.20 Management responsibility
6.2.1q1 Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience. What are the education, training, skills and experience required by this job/task? How does this person meet those qualifications?
6.2.2 Competence, awareness and training 820.25 Personnel

6.2.2q1 How do you determine the necessary education, training, skills and experience for people performing work affecting product quality? What training or other actions do you provide to satisfy the needs of personnel? When you provide training or other actions to satisfy competence needs, how do you evaluate the effectiveness of those actions? (records) (Sample throughout organization)
6.2.2q2
6.2.2q3
Initials:

Page 22 of 66
Q#
6.2.2q4 6.2.2q5

How do your activities contribute to the achievement of quality objectives? Where do you maintain records of education, training, skills and experience?
NOTE National or regional regulations might require the organization to establish documented procedures for identifying training needs.
6.3 Infrastructure 820.70 Production and process controls

6.3q1 Are the buildings, workspace, and utilities appropriate to meet product requirements? How are they maintained? What kind of process equipment (both hardware and software) is necessary to conform to product requirements? How is the equipment maintained? What supporting services (such as transport or communication) are needed to ensure that product meets requirements? How are they maintained? Are schedules for maintenance and inspection of equipment used in the manufacturing of product maintained?
6.3q2
6.3q3
6.3q4
Initials:

Page 23 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 6.4 Work environment 820.70 Production and process controls
6.4q1 Are procedures and responsibilities defined and documented for health, cleanliness and clothing of personnel, if contact between such personnel and product or environment could adversely affect the quality of product? Are the personnel who are supposed to work part time under specific environmental conditions appropriately trained or supervised by trained personnel? Are requirements for the environment to which products are exposed documented and maintained (if appropriate, the environmental conditions shall be controlled and/or monitored, e.g. bio-burden)?
6.4q2
6.4q3
Initials:

Page 24 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7 Product Realization 7.1 Planning of product realization 820.5 Quality System
7.1q1 Where in the product realization process do you determine the quality objectives and requirements for products? When planning for product realization, how do you establish processes, documents, and provide resources specific to the product? How do you determine verification, validation, monitoring, inspection and test activities specific to the product, and the criteria for product acceptance? What records exist showing that both the realization processes and the product meet requirements? What are the outputs of product realization planning? Are they in a form suitable for Organization? Where are the requirements for risk management documented?
7.1q2
7.1q3
7.1q4
7.1q5
7.1q6
Initials:

Page 25 of 66
Q#
7.1q7

Where are the risk management documents that are generated during product realization maintained?
NOTE 1 A document specifying the processes of the quality management system (including the product realization processes) and the resources to be applied to a specific product, project or contract, can be referred to as a quality plan. NOTE 2 The organization may also apply the requirements given in 7.3 to the development of product realization processes. NOTE 3 See ISO 14971 for guidance related to risk management.
7.2 Customer-related processes 7.2.1 Determination of requirements related to the product 820.30(c) Design Inputs
7.2.1q1 How does Organization determine each of the following requirements? - requirements specified by the customer, including the requirements for delivery and post-delivery activities, - requirements not stated by the customer but necessary for specified or intended use, where known, - statutory and regulatory requirements related to the product, and - any additional requirements determined by the organization.
Initials:

Revision Level: A Finding? ISO 9001:2000 Level? ISO 13485:2003 Q# (C = Critical NC, M = 21 CFR 820 Major NC, R = Minor Audit Questions NC) 7.2.2 Review of requirements related to the product
7.2.2q1 What kind of review is done to ensure that the organization has the ability to meet requirements before committing to supply product? How do you ensure that product requirements are defined, documented, and reviewed before committing to supply product? How do you ensure that contract or order requirements differing from those previously expressed are resolved before committing to supply product? Can you show me records of the product requirement review results and actions resulting from them? When customers dont have documented requirements, how do you confirm their requirements before accepting orders?
Page 26 of 66
7.2.2q2
7.2.2q3
7.2.2q4
7.2.2q5
Initials:

Page 27 of 66
Q#
7.2.2q6

When product requirements are changed, how do you ensure that relevant documents are changed and that relevant personnel are made aware of the changes?
NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead the review can cover relevant product information such as catalogues or advertising material
7.2.3 Customer communication

7.2.3q1 What method(s) are used to communicate with customers regarding - product information? - enquiries, contracts, or order handling, including amendments? - feedback, including customer complaints? - advisory notices?
7.3 Design and development 7.3.1 Design and development planning 820.30 Design controls
7.3.1q1 Are documented procedures for design and development established?
Initials:

Page 28 of 66
Q#
7.3.1q2

Can you explain to me the process used by Organization to plan and control the design and development of product? Where is the process defined? What are the stages in the design and development process? How do you determine the review, verification, validation, and design transfer activities appropriate to each design and development stage? How/where are design and development responsibilities and process defined? Is a risk analysis and/or FMEA part of the development process? Are procedures and responsibility to perform and review risk analysis clearly assigned and documented? Are risk acceptance criteria defined in the relevant procedures?
7.3.1q3 7.3.1q4
7.3.1q5 7.3.1q6 7.3.1q7
7.3.1q8
Initials:

Page 29 of 66
Q#
7.3.1q9 7.3.1q10

Are risk analysis results part of Design History documents? How does Organization ensure effective communication and clear assignment of responsibility between different groups involved in design and development? As product design and development progresses, how are the planning outputs documented and updated?
7.3.1q11
NOTE Design transfer activities during the design and development process ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications.
Initials:

Page 30 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.3.2 Design and development inputs 820.30(c) Design input
7.3.2q1 What are the design inputs relating to each of the following product requirements? - functional, performance and safety requirements, according to the intended use, - applicable statutory and regulatory requirements, - where applicable, information derived from previous similar designs, and - other requirements essential for design and development, and - output(s) of risk management. Where are they recorded? 7.3.2q2 How & when are the design and development inputs reviewed and approved for adequacy? How does Organization ensure that requirements are complete, unambiguous and dont conflict with each other?
7.3.2q3
Initials:

Page 31 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.3.3 Design and development outputs 820.30(d) Design output
7.3.3q1 How can design and development outputs be verified against the inputs? (see 7.3.5q1) Are these outputs approved prior to release? Can you show me examples of design and development outputs and how they meet the input requirements? What outputs include information for purchasing, production and service? Where are product acceptance criteria specified? Where are product characteristics needed for safe and proper use specified? 7.3.3q3 Does labeling for Medical Devices comply with regulatory requirements (e.g. EU directives, CMDR, FDA)? - Name of Device, Identifier - Name and address of manufacturer - Expiry date (if applicable) - CE (only EU) etc.
7.3.3q2
Initials:

Page 32 of 66
Q#
7.3.3q4

Where are records of design and development maintained? Is there a Design History File (DHF) for each type of device? Does the DHF contain or reference records necessary to demonstrate that the design was developed in accordance with the approved design plan? Does the DHF contain or reference risk analysis records? Is there a Technical File for each type of device? Does the Technical File contain or reference records necessary to fulfill the Declaration of Conformity requirements of the IVDD (as defined in Annex III)?
NOTE Records of design and development outputs can include specifications, manufacturing procedures, engineering drawings, and engineering or research logbooks.
7.3.3q5 7.3.3q6
7.3.3q7 7.3.3q8 7.3.3q9
Initials:

Page 33 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.3.4 Design and development review 820.30(e) Design review
7.3.4q1 At what stages of design and development do you perform reviews to evaluate if the results meet requirements? (See 7.3.1q2b) Can you show me some problems that have been identified and actions proposed at these reviews? 7.3.4q2 What functions (including specialists) are represented at these reviews? At each stage, are all functions concerned with that stage represented? 7.3.4q3 Does an independent reviewer participate and approve each design and development stage? Can you show me records of the results of the reviews and any necessary actions taken? Are the records of design review and any actions taken documented in the DHF?
7.3.4q4
7.3.34q5
Initials:

Page 34 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.3.5 Design and development verification 820.30(f) Design verification
7.3.5q1 What verification activities are performed to ensure that the design and development outputs have met the input requirements? (See 7.3.3q1) Can you show me records of the results of the verification activities and resulting actions? Are design verification records contained or referenced in the DHF?
7.3.5q2
7.3.5q3
7.3.6 Design and development validation 820.30(g) Design validation

7.3.6q1 What design and development validation activities are performed to ensure that the product is capable of meeting the requirements for the intended use? Are design and development validation activities performed on initial production units, lots or batches?
7.3.6q2
Initials:

Page 35 of 66
Q#
7.3.6q3

Do records show that validation is done before product shipment? If not, is the justification recorded?
7.3.6q4
Can you show me records of the validation activity results and any follow-up actions? Are design validation records contained or referenced in the DHF? Are procedures and responsibilities defined and documented to perform and evaluate clinical investigation / clinical trials? Are records about clinical data evaluation and / or testing part of the design documentation? Are they maintained? Updated? Are procedures and responsibilities defined to select and evaluate scientific literature used for the clinical evaluation?
7.3.6q5 7.3.6q6
7.3.6q7
7.3.6q8
NOTE 1 If a medical device can only be validated following assembly and installation at point of use, delivery is not considered to be complete until the product has been formally transferred to the customer. NOTE 2 Provision of the medical device for purposes of clinical evaluations and/or evaluation of performance is not considered to be delivery.
Initials:

Revision Level: A Finding? ISO 9001:2000 Level? ISO 13485:2003 Q# (C = Critical NC, M = 21 CFR 820 Major NC, R = Minor Audit Questions NC) 7.3.7 Control of design and development changes 820.30(i) Design changes
7.3.7q1 7.3.7q2 7.3.7q3 How are design and development changes identified? Where are the records kept? Are changes reviewed, verified, validated, and approved before implementation? Can you show me evidence that the review of design and development changes includes evaluation of the effect on component parts and products in the field? Can you show me records of the results of change reviews and any necessary actions? Are procedures and responsibilities defined to inform the Notified Body when design changes occur?
Page 36 of 66
7.3.7q4
7.3.7q5
Initials:

Page 37 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.4.1 Purchasing controls 820.50 Purchasing controls
7.4.1q1 How do you ensure that purchased product conforms to specified requirements? Can you show me a procedure for this? 7.4.1q2 How do you determine the type and extent of control applied to the supplier and the purchased product? How do you evaluate and select suppliers? (based on their ability to supply product in accordance with Organizations requirements) Can you show me the criteria for selection, evaluation and re-evaluation of suppliers? Can you show me records of the results of supplier evaluations and any necessary actions? (verify that criteria have been met) Is there a record of acceptable suppliers, contractors and consultants? How is it maintained?
7.4.1q3
7.4.1q4 7.4.1q5
7.4.1q6
Initials:

Page 38 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 7.4.2 Purchasing information 820.50 Purchasing controls
7.4.2q1 Do orders/contracts include requirements for approval of product, procedures, processes and equipment? Do require any qualification of supplier personnel? If so, can you show where the requirement is documented? 7.4.2q2 Do you have any QMS requirements of your suppliers? If so, can you show me where they are required? How does Organization ensure the adequacy of purchasing requirements before communicating them to the supplier? Can you show me records of orders and and/or contracts?
7.4.2q3
7.4.2q4
7.4.3 Verification of purchased product 820.80 Receiving, in-process and finished device acceptance
7.4.3q1 What inspection or other activities are used to ensure that incoming purchased product meets your purchasing requirements?
Initials:

Page 39 of 66
Q#
7.4.3q2

Do you ever perform product verification at the supplier's site? If so, where are the verification arrangements and method of product release identified?
7.4.3q3
Can you show me records of onsite verification?
7.5 Production and service provision 7.5.1 Control of production and service provision 7.5.1.1 General requirements
7.5.1.1q1 When carrying out production (or service) are all of the following controlled conditions in place? - Is information that describes the characteristics of the product available? - Are appropriate documented procedures, documented requirements, work instructions, reference materials and reference measurement procedures available (if needed)? - Is suitable equipment used for carrying out production (or service)? - Are appropriate monitoring and measuring instruments used in production
Initials:

Page 40 of 66
Q#

(or service)? (See 7.6) - Are appropriate kinds of monitoring and measurement done? (See 8.2.4) - Are proper release, delivery and postdelivery activities in place? - Are packaging and labeling operations defined and implemented?
7.5.1.1q2 7.5.1.1q3
Are processes and process equipment approved? Can you show me batch records for a device?
NOTE A batch can be a single medical device.
7.5.1.2.1 Cleanliness of product and contamination control 820.70(e) Contamination control

7.5.1.2.1q1 7.5.1.2.1q2 Are there documented requirements for cleanliness of product? Are there procedures maintained to prevent contamination of equipment or product by substances that could reasonably be expected to have an adverse effect on product quality?
Initials:

Page 41 of 66
Q#
7.5.1.2.1q3

Is there manufacturing material in any product that could reasonably be expected to have an adverse effect on product quality? If so, are there procedures established and maintained for the use and removal of this material to ensure that it is removed or limited to an amount that does not adversely affect the products quality?
7.5.1.2.2 Installation activities 820.170 Installation 7.5.1.2.2q1 Are there documented requirements with acceptance criteria for installing and verifying the installation? Are there documented requirements for installation and verification if installation is performed by an outside organization? Can you show me records of installation and verification?
7.5.1.2.2q2
7.5.1.2.3q3
Initials:

Page 42 of 66
Q#
7.5.1.2.3 Servicing activities 820.200 Servicing 7.5.1.2.3q1 Are there documented procedures, work instructions, reference materials and reference measurement procedures? Are there records of servicing activities?
7.5.1.2.3q2
NOTE Servicing can include, for example, repair and maintenance.
7.5.2 Validation of processes for production and service provision 7.5.2.1 General requirements 820.75 Process validation
7.5.2.1q1 Do you have any production or service processes where the resulting output cannot be verified later? If so, how to you validate them? 7.5.2.1q2 Can you show me records that demonstrate that the validation done has met the requirements? How are these process validations reviewed and approved? Can you show me records of personnel and equipment qualification?
7.5.2.1q3 7.5.2.1q4
Initials:

Page 43 of 66
Q#
7.5.2.1q5 7.5.2.1q6 7.5.2.1q7 7.5.2.1q8 7.5.2.1q9

Where are specific methods and procedures defined? Can you show me records for these processes? When changes are made to processes, how do you revalidate them? Are there documented procedures for validation of computer software? Are validation records maintained? Can you show me examples of these records?
7.5.3 Identification and traceability 7.5.3.1 Identification 820.60 Identification

7.5.3.1q1 How do you identify product throughout your processes? (Verify in production, storage, segregation areas, etc.) Can you show me procedures for this?
Initials:

Page 44 of 66
Q#
7.5.3.1q2

How do you ensure that medical devices returned to the organization are identified and distinguished from conforming product? Can you show me documented procedures for this?
7.5.3.2 Traceability 7.5.3.2.1 General 820.65 Traceability

7.5.3.2.1q1 7.5.3.2.1q2 Can you show me procedures for traceability? Can you show me unique identification records for products requiring traceability? How is the extent of traceability defined, documented and maintained to enable corrective actions as: - database of sold products - final destination / location of sold products - serial and/or lot number for identification 7.5.3.2.1q4 Do the traceability procedures (or contracts) require agents and distributors to maintain records of distribution?
Initials: Date: Revision pages not required when using this form.
7.5.3.2.1q3

Page 45 of 66
Q#
7.5.3.2.2q5

Do those requirements / contracts include the availability of records for inspection, audits etc.?
NOTE In some industry sectors, configuration management is a means by which identification and traceability (are) can be maintained.
7.5.3.3 Status Identification

7.5.3.3q1 How is product inspection status identified? (Verify in production, storage, segregation areas, etc.) Is the product status identified and maintained throughout production, storage, installation and servicing? Is it ensured that only passed products are dispatched, used or installed?
7.5.3.3q2
7.5.3.3q3
7.5.4 Customer property

7.5.4q1 Do you use any customer-owned property? (Product, packaging, drawings, tooling, gages...) (If so, ask questions below) 7.5.4q2 How do you ensure that customer-owned property is identified, verified, protected, and safeguarded?
Initials:

Page 46 of 66
Q#
7.5.4q3

If any customer property is lost, damaged etc., how is it reported to the customer? Can you show me records regarding this?
NOTE Customer property can include intellectual property or confidential health information.
7.5.5 Preservation of product 820.150 Storage 820.130 Device packaging 820.140 Handling 820.160 Distribution
7.5.5q1 How do you preserve the conformity of product during internal processing and delivery? (Verify product throughout audit) Can you show me work instructions or procedures for this? 7.5.5q2 Are there procedures or work instructions for control of storage areas and stock rooms for product to prevent mixups, damage, deterioration, contamination or other adverse effects pending use or distribution?
Initials:

Page 47 of 66
Q#
7.5.5q3

Are there procedures or work instructions established for the control of product with a limited shelf-life or requiring special storage conditions? Has device packaging and shipping containers been designed or constructed to protect the device from alteration or damage during the customary conditions of processing, storage, handling and distribution? Are there procedures or work instructions to ensure that mixups, damage, deterioration, contamination or other adverse effects to product do not occur during handling? Are there procedures or work instructions to ensure that only those devices approved for release are distributed?
7.5.5q4
7.5.5q5
7.5.5q6
Initials:

Page 48 of 66
Q#
7.5.5q7

Are distribution records maintained which include or refer to the location of: - Name and address of the initial consignee - The identification and quantity of devices shipped - The date shipped - Any control number(s) used
7.5.5 Preservation of product 820.120 Device labeling

7.5.5q8 Are labels printed and applied so as to remain legible and affixed during processing, storage, handling, distribution and where appropriate use? Are labels not released for storage or use until a designated individual has examined the labeling for accuracy, including where applicable: - Correct expiration date - Control number - Storage instructions - Handling instructions - Any additional processing instructions
7.5.5q9
Initials:

Page 49 of 66
Q#
7.5.5q10

Is the release of labeling, including the signature of the individual(s) performing the examination and the date, documented in the DHR? Are labels stored in a manner that provide proper identification and prevents mixups? Is labeling and packaging operations controlled to prevent mixups? Is the label and labeling used for each production unit, lot or batch documented in the DHR?
7.5.5q11
7.5.5q12 7.5.5q13
7.6 Control of monitoring and measuring device 820.72 Inspection, measuring and test equipment
7.6q1 How do you determine the measurements to be taken and the measuring equipment needed to demonstrate conformity of product with requirements? What process is in place to ensure that measurements are taken per the requirements? Can you show me procedures for this?
7.6q2
Initials:

Page 50 of 66
Q#
7.6q3

a) How do you ensure that measuring and test equipment is calibrated or verified proper frequencies with NIST traceable standards? If no such standards exist, where do you record the basis used for calibration or verification? b) What process is used to adjust or readjust measuring and test equipment when needed? c) How are measuring tools identified to enable the calibration status to be determined? d) How do you safeguard measuring equipment from adjustments that would invalidate the measurement results? e) How do you ensure that measuring its test equipment is protected from damage and deterioration during handling, maintenance and storage? When equipment is found to be out of calibration, how do you assess and record the validity of the previous measuring results? What actions do you take on the equipment and any product affected by equipment found to be out of calibration?
7.6q4
7.6q5
Initials:

Page 51 of 66
Q#
7.6q6 7.6q7

Can I see your records of the results of calibration and verification? Do you use computer software for monitoring and measurement? If so, is its ability to perform that function confirmed prior to initial use and reconfirmed as necessary?
NOTE See ISO 10012-1 and ISO 10012-2 for guidance related to measurement management systems.
8 Measurement, analysis and improvement 8.1 General 820.250 Statistical techniques

8.1q1 How do you plan and implement measurement, analysis and improvement processes needed - to demonstrate conformity of the product? - to ensure conformity of the quality management system? - to (continually improve) maintain the effectiveness of the quality management system?
Initials:

Page 52 of 66
Q#
8.1q2

How do you determine what monitoring measurement, and analysis methods to use, including statistical techniques? How do you determine the extent of their use?
8.1q3 8.1q4
Are sampling plans, when used, written and based on valid statistical rationale? Are there procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed?
NOTE National or regional regulations might require documented procedures for implementation and control of the application of statistical techniques.
8.2 Monitoring and feedback 8.2.1 (Customer satisfaction) Feedback 820.198 Complaint files
8.2.1q1 How do you obtain information about (customer perception as to) whether Organization has met customer requirements? How is this information used?
Initials:

Page 53 of 66
Q#
8.2.1q2

Are procedures for a documented market feedback system provided to ensure early warning of quality problems and for input into corrective and preventive action processes? Are complaints processed in a uniform and timely manner? Are oral complaints documented upon receipt? Are complaint records kept according to FDA/IVDD regarding: - any reported problem relating to performance characteristics and safety? - In case of products new on the market: any complaints?
8.2.1q3 8.2.1q4
8.2.1q5
If a complaint is a reportable event are the documents maintained separately portion of the complaint files or otherwise clearly identified? Are records of all customer complaint investigations maintained? Are complaint records readily available?
8.2.1q6 8.2.1q7
Initials:

Page 54 of 66
Q#
8.2.1q8

If any customer complaint is not followed by an investigation and/ or corrective and/or preventive action, is the reason authorized and recorded? Are complaints involving the failure of a device, labeling, or packaging to meet any of it specifications reviewed, evaluated and investigated? In the event of an adverse incident, the record of the investigation should include: - name of the device - date the complaint was received - any device identification and control numbers - name address and phone number of the complainant - nature and details of the investigation - corrective action taken - any reply to the complainant
8.2.1q9
8.2.1q10
Initials:

Page 55 of 66
ISO 9001:2000 ISO 13485:2003 Q# 21 CFR 820 Audit Questions 8.2.2 Internal audit 820.22 Quality audit
8.2.2q1 Are internal audits being conducted at planned intervals? Do they determine whether the QMS conforms to the requirements of ISO 9001, ISO 13485 and 21CFR 820 and to the other requirements established by Organization? (Review records to demonstrate conformance) Do they determine whether the QMS is effectively implemented and maintained? (Review records) 8.2.2q2 Can you show me an audit plan that takes into consideration the importance of the processes and areas to be audited, and the results of previous audits? Where are the audit criteria, scope, frequency and methods defined? Can you demonstrate that selection of auditors and the conduct of audits are objective and impartial, and that auditors dont audit their own work?
8.22q3 8.2.2q4
Initials:

Page 56 of 66
Q#
8.2.2q5

Can you show me your internal audit procedure? Can you show me the records of internal QMS audits?
8.2.2q6
Who ensures that actions are taken to eliminate detected nonconformities and their causes? Are they being taken care of in a timely manner? (verify with records) What activities are done to verify the actions taken, and how are the verification results reported?
8.2.2q7
NOTE See ISO (10011-1, ISO 10011-2 and ISO 10011-3) 19011 for guidance related to quality auditing.
8.2.3 Monitoring and measurement of processes 820.70 Production and process controls
8.2.3q1 8.2.3q2 What methods are used to monitor and measure the QMS processes? Can you show that they have achieved the desired results?
Initials:

Page 57 of 66
Q#
8.2.3q3

When the desired results are not achieved, what actions are taken to ensure that the product meets requirements? Do process controls include? - Documented instructions and methods that define and control the manner of production - Monitoring and control of process parameters and component and device characteristics during production - Compliance with reference standards and / or codes - Approval of processes and process equipment - Criteria for workmanship which is expressed in documented standards or by means of identified and approved representative statistically valid samples
8.2.3q4
8.2.4 Monitoring and measurement of product 8.2.4.1 General requirements 820.80 Receiving, in-process and finished device acceptance
Initials:

Page 58 of 66
Q#
8.2.4.1q1 8.2.4.1q2

What characteristics are checked to verify that product requirements have been met? At what stages of the product realization process do monitoring and measuring activities take place? Can you show me procedures for monitoring and measurement of product?
8.2.4.1q3 8.2.4.1q4
How is evidence of conformity with acceptance criteria maintained? Can you show me records that indicate who has authorized release of product to the next stage of the process? Is final product acceptance documented in the DHR? How do you ensure that product is not released until the all requirements have been met? If product must be released prior to this, how is it approved?
8.2.4.1q5
8.3 Control of nonconforming product 820.90 Nonconforming product
Initials:

Page 59 of 66
Q#
8.3q1

How do you ensure that nonconforming products are identified and controlled to prevent unintended use or delivery? (Verify product throughout audit)
8.3q2
Can you show me a procedure defining the controls for dealing with nonconforming product? Does it show responsibilities/authorities?
8.3q3 8.3q4 8.3q5
When you have nonconforming product, what methods do you use to deal with it? Can you show me records of the identity of personnel authorizing concessions? Can you show me records of nonconforming material and any actions taken? Are there any records of concessions obtained? When nonconforming product is corrected, can you demonstrate that it is re-verified to ensure it conforms to requirements?
8.3q6
Initials:

Page 60 of 66
Q#
8.3q7

When nonconforming product is detected after shipment, what actions are taken, such as containment? (Verify corrective action records)
8.3q8
Can you show me rework procedures or work instructions approved by same authority as the original work instruction? Can you show me records of determination of adverse effects of rework? Was the determination made prior to authorization of the work instruction? Are rework records documented in the DHR?
8.3q9
8.3q10
8.4 Analysis of data 820.50 Statistical techniques
Initials:

Page 61 of 66
Q#
8.4q1

What data is collected and analyzed to demonstrate the suitability and effectiveness of the QMS and to evaluate where continual improvement of its effectiveness can be made? Can you show me procedures that describe this activity?
8.4q2
What information does this analysis provide relating to: - (customer satisfaction) feedback? (5.6) - conformity to product requirements? (See 5.6) - characteristics and trends of processes and products? (See 5.6) - suppliers? (See 7.4.1)
8.4q3
Are the analysis of data results maintained? Can you show me an example of this type of record?
8.5 Improvement 8.51 (Continual improvement) General 820.20 Management responsibilities


Page 62 of 66
Q#
8.5.1q1

Can you demonstrate that Organizations QMS effectiveness continually improves? Can you demonstrate that Organization identifies and implements changes to ensure continued QMS effectiveness? What tools do you use? (See 5.6, 8.2.2, 8.4, 8.5.2, 8.5.3) Are the following used as tools: - quality policy - quality objectives - audit results - data analysis - corrective and preventative action - management review
8.5.1q2
Does the procedure for complaint handling and advisory notices address the effective and timely investigation of the problem? Are there procedures to notify appropriate regulatory authorities for incidents in compliance with the regulatory requirements (e.g. EU Vigilance System, FDA regulation)?
8.5.1q3
Initials:

Page 63 of 66
Q#
8.5.1q4 8.5.1q5 8.5.1q6

Is there a procedure for the issue and implementation of advisory notices? Is this procedure capable to be implemented at any time? Are relevant information exchanged in case that a complaint investigation determines activities that contributes to the investigation to be taken place outside the organization? Are documented procedures established to notify the regulatory authorities of any adverse events which meet reporting criteria? (e.g. time frame of reporting)
8.5.1q7
8.5.2 Corrective action 820.100 Corrective and preventative action

8.5.2q1 Do corrective actions records identify and address root cause(s)? (Do root causes match actions?)
Initials:

Page 64 of 66
Q#
8.5.2q2 8.5.2q3

Are actions taken appropriate to the severity of the problem? Can you show me a procedure defining requirements for each of the following? - reviewing nonconformities (including customer complaints) - determining the causes of nonconformities - evaluating the need for action to ensure that nonconformities do not recur - determining and implementing action needed - records of the results of any investigation and of action taken - reviewing the corrective action taken and its effectiveness
8.5.2q4
Can you show me records of investigation and corrective actions taken?
Initials:

Page 65 of 66
Q#
8.5.2q5

How does the organization ensure that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality for such product or the prevention of such problems as well as corrective actions and preventative actions for management review?
8.5.3 Preventative action 820.100 Corrective and preventative action

8.5.3q1 How do you determine potential nonconformities to take action one? Do preventive action records identify and address root cause(s)? 8.5.3q2 Are actions taken appropriate to the severity of the problem?
Initials:

Page 66 of 66
Q#
8.5.3q3

Can you show me a procedure defining requirements for each of the following? - determining potential nonconformities and their causes, - planning the preventative action - evaluating the need for action to prevent occurrence of nonconformities, - determining and implementing action needed, - (records) recording of the results of any investigation and of action taken (see 4.2.4), and - reviewing preventive action taken and its effectiveness.
8.5.3q4
Can you show me records of preventive actions taken?
Initials:

Audit Checklist 9001 13485 21 CFR 820

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Checklist 9001 13485 21 CFR 820

Uploaded by

Copyright:

Available Formats

Internal Audit Checklist

Revision Level: A Page 1 of 66

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

Please circle the sections evaluated during this audit.

4.22 Quality Manual 5.4.1 Quality Objectives 5.6.2 Review Input

8.2.2 Internal Audit

8.5.2 Corrective Action

Date: Revision pages not required when using this form.

Internal Audit Checklist

Evidence (including referenced docs)

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

4.2 Documentation Requirements 4.2.1 General

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

4.2.2 Quality Manual 820.180 General Requirements

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

Evidence (including referenced docs)

Date: Revision pages not required when using this form.

Internal Audit Checklist

ISO 9001:2000 ISO 13485:2003 21 CFR 820 Audit Questions

Evidence (including referenced docs)

4.2.4 Control of Records 820.180 General Requirements

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

Evidence (including referenced docs)

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

Evidence (including referenced docs)

4.2.4 Control of Records 820.186 Quality system record

Auditor Name (print): Pages may be used independently.

Date: Revision pages not required when using this form.

Internal Audit Checklist

Evidence (including referenced docs)

5.1q2 5.1q3 5.1q4 5.1q5

5.2 Customer Focus