ISO 13485 Internal Audit Checklist

INTERNAL AUDIT CHECKLIST
Issued by: QA Date: Revision: A
ISO13485 Requirements What to look for and how Documents checked and auditor notes
4 Quality Management System

4.1 General requirements
4.1 Is the quality management system Are processes needed for the quality management
documented, implemented and maintained in system identified and established (process map)? Is the
accordance with requirements of ISO 13485? sequence and interaction between these processes
determined (process map)? Are criteria and methods for
the operation and control of quality system processes
established (operational procedures)? Are required
resources available? Are quality system processes
monitored and measured (internal audit, customer
feedback, manufacturing process performance, etc.)?
4.1 Are outsourced processes adequately How are outsourced processes controlled? Are outputs
controlled? of outsourced processes verified? Are subcontractors
and suppliers required to operate and maintain quality
management systems (ISO 9001, for example)?
4.2 Documentation requirements
4.2.1 General
4.2.1 Are the following types of documents Are quality policy and quality objectives documented?
established, maintained and controlled: Where?
 quality policy and quality objectives; Is there a quality manual? Operational procedures?
 quality manual;
Are drawings, specifications, work instructions, work
 operational procedures; orders, control plans, etc., issued and maintained as
 device specifications including drawings, controlled documents (as required in 4.2.3)?
composition, formulation, components,
Are electronic documents (computer files) backed up?
software etc. (Device Master Record);
 production process specifications including
equipment, production methods and
procedures, operator (work) instructions,
production environment specifications, etc.
(Device Master Record);
 quality assurance procedures and
specifications including control plans,
inspection equipment and procedures,
acceptance criteria, etc. (Device Master
Record);
 maintenance and servicing procedures and
methods (Device Master Record);
 other documents needed to ensure the
effective planning and operation of the
INTERNAL AUDIT CHECKLIST Doc: XXX Revision: A Pg. 2 of 23
Refs
Requirements What to look for and how Documents checked and auditor notes
quality system; and

 records (ref to ISO 13485 4.2.4)?
4.2.2 Quality manual
4.2.2 Does the quality manual include: Is the quality manual addressing all relevant
 the scope of the quality management requirements of ISO 13485? Are exclusions from Section
system and exclusions, 7, Product Realization, documented in the quality manual
 operational procedures or references to (if any)? Are operational procedures included or
referenced in the quality manual? How is the interaction
them,
between the processes of the quality system
 description of the interaction between the documented (process map, flowcharts, etc.)? How is the
processes of the quality system, and structure of the quality system documentation outlined in
 outline of the structure of the quality system the manual?
documentation?
4.2.3 Control of documents
4.2.3 Is there a written procedure defining the Is there a written procedure for control of documents?
controls needed to Are controlled documents reviewed and approved? How
 review and approve documents prior to the approval is evidenced (signature)? Is there a process
issue, for reviewing, updating and re-approving documents?
Are documents identified with their revision level? How
 review, update and re-approve documents,
changes are identified (change brief, highlighted, etc.?)
 identify changes and current revisions of What measures are implemented to ensure that relevant
documents, and current documents are available at points of use
 make relevant and current documents (distribution lists, current master lists, etc.)? Are
available at points of use, documents uniquely identified (unique title and /or code-
 ensure that documents are legible and number) and are they legible? Is there a process for
identifiable, receiving, reviewing, approving (for use) and distributing
 identify and control the distribution of documents of external origin (from customers, regulators,
documents of external origin, and suppliers, etc? When obsolete documents are retained,
is it for a specific, stated reason? Are obsolete
 identify retained obsolete documents and documents clearly marked to distinguish them from
prevent their unintended use? current revisions? What other measures are
Is the procedure fully implemented? implemented to prevent the unintended use of obsolete
documents?
4.2.3 Is the period for retention of obsolete Is a retention period defined for each type of controlled
controlled documents defined? documents? How is this period determined? Is the
retention period at least equal to the lifetime of the
device? Is it coordinated with the retention period for
corresponding records? Are regulatory requirements
considered?
4.2.3 Are document changes reviewed and Is there a clearly stated requirement that changes to
approved by the same function that performed documents must be reviewed and approved by the same
Refs
the original review and approval (unless function that issued the original document, or by another,
specifically designated otherwise)? explicitly designated function? Is it implemented?
Are change records maintained, including Are changes in documents (mostly product and process
description of the change, identification of the specifications) backed by design change and/or process
change records, such as engineering change notices?
affected documents, approval signatures and
How is it defined/documented when document changes
date, and when the change becomes become effective?
effective?
4.2.4 Control of Records
4.2.4 Is there a documented procedure for the Are there documented instructions how to identify,
identification, storage, protection, retrieval, organize, store, protect, and retrieve records? Are
retention, and disposition of records? storage locations for records defined?
4.2.4 Are retention periods for records defined? Is a retention period defined for each type of record?
How is this period determined? Is the retention period at
Are records retained for at least the period of least two years or equivalent to the lifetime of the device,
time equivalent to the expected life of the whichever is greater? Are regulatory requirements
device, and no less than 2 years? considered?
4.2.4 Are records organized and maintained to Are records stored in dry, clean locations to minimize
ensure that they remain legible, readily deterioration? Is there a system for organizing the
identifiable and retrievable, and to prevent records? Are boxes, drawers, binders that hold records
deterioration and loss? properly identified? Are records easily retrievable (test by
asking for retrieval of specific records)?
Are records accessible to the regulatory
Are records kept in a location that is accessible to
inspections? regulatory inspections?
Are electronic records backed up? Are electronic records backed up? Are there specific
schedules, instructions, etc. for backing up data? Where
are the back-up media (tapes, disks, etc.) kept?
4.2.4 For each type of device, is there a Device How is the DMR organized? Is it a file containing the
Master Record (DMR) including, or referring to actual specifications documents, or is it a list referring to
appropriate device specifications, production these documents and their locations? Is the DMR
process specifications, quality assurance complete, e.g., includes all required categories of
documents? Who decides, and how, which documents
procedures, maintenance and servicing
are included in the DMR? Are all documents included in
procedures and methods? the DMR correctly identified, reviewed, approved and
otherwise controlled? Are the DMR documents the same
(and the same revisions) as those used in production?
4.2.4 Are Device History Records (DHR) maintained Are DHR records properly identified to specific batches,
for each manufactured batch, lot or unit? lots or units; and are the records easily retrievable? (For
Refs
(Refer also to ISO 13485 Clause 7.5.1) other questions refer to 7.5.1)
4.2.4 Are Quality System Records (QSR) How is it determined and documented what quality
maintained, including current and obsolete system records are maintained (in QMS Manual and lists
quality system manuals and procedures, and of procedures and quality forms, and in operational
records of quality system activities such as procedures and work instructions)? Are retention periods
specified for obsolete quality system documentation and
management reviews, corrective and for quality system records?
preventive actions, internal audits, etc.?
4.2.4 Are sufficient records maintained to provide Is there a list (or other documented specification) of
evidence of conformity and effectiveness of quality system records that are maintained by the
the quality management system? company? Are the records sufficient to demonstrate
product and process conformity, and the conformity and
effectiveness of the quality management system and its
implementation?
5 Management Responsibility
5.1 Management Commitment
5.1 Is the top management How is importance of meeting customer and other
 communicating to the organization the requirements communicated? Do employees understand
importance of meeting customer and other the consequences of failing to meet requirements? Is
applicable requirements, there a quality policy? Are quality objectives defined? Are
management reviews being conducted regularly? Are
 establishing the quality policy,
adequate resources necessary for the quality system
 establishing quality objectives, provided?
 conducting management reviews, and
 ensuring availability of resources?
5.2 Customer Focus
5.2 Is the top management ensuring that What measures are implemented to ensure that
customer requirements are determined and customer requirements are determined and met
are met? (processes, procedures, training, monitoring, auditing,
etc.)?
5.3 Quality Policy
5.3 Is there a documented quality policy; and Is the quality policy appropriate (relevant to the types of
 Is it appropriate to the purpose of the products, type of market, customer expectations, etc.)?
organization? Does it include explicit commitment to comply with
 Does it include a commitment to comply with requirements and maintain (or improve) the effectiveness
of the quality system? Is it related to quality objectives?
requirements and maintain the effectiveness Do employees know the meaning of the quality policy
of the quality management system? and understand how they can contribute to achieving the
 Does it provide a framework for establishing policy? Is the quality policy periodically reviewed for
the quality objectives?
Refs
 Is it communicated and understood continuing suitability?

throughout the organization?
 Is it periodically reviewed for continuing
suitability?
5.4 Planning
5.4.1 Are measurable quality objectives How many objectives are established? Are they
established? measurable? Are methods to measure progress defined?
Who is responsible for doing this? Is anyone responsible
Are the objectives consistent with the quality for implementation of the objectives? What happens
policy? when an objective is achieved? What is the mechanism
for establishing new objectives?
5.4.2 Is the quality system planned to meet How is the quality system planned and by whom? How is
requirements and quality objectives? the plan documented (quality manual, gap analysis
checklist, etc.)? When changes are implemented, is
Is the integrity of the quality system there an evaluation of the impact of the change on the
maintained when changes are implemented? overall system?
5.5 Responsibility, authority and communication
5.5.1 Are responsibilities and authorities defined, Is there an organizational chart (or other type of
and are they communicated throughout the specification of organizational responsibilities and
organization? authorities)? Does it clearly show who is responsible for
processes needed for the quality system? Do operational
For personnel who manage, perform and procedures and work instructions assign responsibilities
verify work affecting quality, is their for performing activities that are defined in these
interrelation defined, and do they have documents? How are responsibilities and authorities
sufficient independence and authority to communicated to employees (quality manual,
perform these tasks? procedures, training)? Do personnel who verify the
quality system, process, and product conformity (mostly
auditors and inspectors) have sufficient independence
and authority?
5.5.2 Is there a management representative for the Who is appointed as the management representative?
quality management system? How is this appointment documented? Are
responsibilities and authorities of the representative
Are his/her responsibilities defined, to include: defined? Does the representative have sufficient
 ensuring that processes needed for the authority to ensure that quality system is established,
quality system are established, implemented implemented and maintained? What evidence is there
and maintained, that the representative reports to top management on the
 reporting to top management on the performance of the quality system (management review
performance of the quality system and need meetings)? What examples are there of the
for improvement, and representative promoting awareness of regulatory and
customer requirements?
 promoting the awareness of regulatory and
Refs
customer requirements?
5.5.3 Are appropriate communication processes Are quality system policies and requirements, product
established within the organization? quality requirements (specifications), quality system
effectiveness/performance data and results, product
Are information and data regarding the quality data, etc., adequately communicated?
effectiveness of the quality system regularly
What specific processes (methods) are used to
communicated? communicate this information and data (QMS
documentation, regularly scheduled review meetings,
buletin boards/newsletters, training, etc.)? Are these
processes fully implemented and are they regularly
maintained and used? Are there procedures/instructions
defining these communication processes?
Are there communication processes for employees to
report product/system quality problems, and to suggest
improvements to the quality system?
5.6 Management Review
5.6.1 Is the quality management system periodically How often are management reviews conducted? Who
reviewed to ensure its continuing suitability, participates? Is there an agenda prepared for each
adequacy and effectiveness, and to identify review? How are the reviews recorded (minutes of
opportunities for improvement? meetings)?
5.6.2 Does the input into management reviews Are all required inputs provided for each review? Are
include: there records specifically demonstrating that each input
 results of audits, was provided and considered? Have all actions from the
 customer feedback, preceding review been closed out? What happens to
actions that have not been fully completed? How, for
 process performance and product
example, are recommendations for improvement input
conformity, into the review? Who is responsible for making the
 preventive and corrective actions, recommendations? How are those recommendations
 actions from previous reviews considered? Who decides which recommendations are
 changes, accepted and which are rejected?
 recommendations for improvement, and
 new or revised regulatory requirements?
5.6.3 Does the output from management reviews In the last two management reviews, what specific
include decisions and actions related to: decisions and actions were taken that relate to
 improvements of the quality system and its improvement of the quality system and the product? How
processes, were they implemented? Were there any special
resources provided to implement the improvements?
 improvements of product related to
Was the implementation verified?
customer requirements, and
Refs
 resource needs?
6 Resource Management
6.1 Provision of resources
6.1.a) Are adequate resources provided to Are there sufficient qualified personnel assigned to
implement and maintain the quality maintain the QMS? Are document changes (revisions),
management system? corrective/preventive actions, and customer complaints
processed in a timely manner? Are internal audits,
management reviews, training and other such activities
conducted at prescribed intervals and/or in accordance
with established schedules?
6.1.b) Are adequate resources provided to meet Are there sufficient equipment and machines to perform
regulatory and customer requirements? all specified product realization processes and
monitoring/measurement activities? Are the equipment
and machines adequate (qualified/calibrated where
appropriate)? Are there sufficient qualified personnel to
operate these processes? Are customer orders shipped
on time?
6.2 Human resources
6.2.1 Do personnel performing work affecting Are competence (education, training, skills and/or
6.2.2. product quality have appropriate education, experience) records maintained for each employee?
training, skills and experience? What is the format of these records and who maintains
them? How do managers/supervisors responsible for
Are adequate records of their qualifications assignment of work activities know who is competent to
maintained? perform a particular job (training matrix)?
6.2.2.a Are competence requirements for personnel Are there defined competence (education, training, skills
6.2.2.b defined and training needs identified? and/or experience) requirements for each job/position
6.2.2.c affecting product quality? How are they documented?
Is training provided, or are other actions taken Are training needs defined (who needs what training to
to satisfy the competence requirements? meet competence requirements)?
Is the effectiveness of training (or other Are new employees formally trained for new
actions taken) evaluated? jobs/positions? How? Is this training recorded?
After completion of training, how is the effectiveness of
the training evaluated? Is it done for all training provided,
without exceptions?
6.2.2.d Are personnel made aware of the relevance Are personnel aware of the quality objectives relevant to
and importance of their work and how they their jobs/positions and do they know how, specifically,
contribute to the achievement of quality they can contribute to reaching these objectives?
objectives? Are personnel thought what specific defects can result
Refs
Are personnel made aware of device defects when they don’t do their jobs correctly?
which may occur from the improper Are personnel aware of specific consequences of
performance of their specific jobs? product deficiencies and failures (safety, environmental,
Are personnel who perform verification and customer dissatisfaction, etc.)?
validation activities made aware of defects Are photographs, drawings, samples or other aids
and errors that may be encountered as part of showing the types of defects that may be encountered
their job functions? available to personnel performing product verifications
(inspection and testing)?
6.3 Infrastructure
6.3 Is the needed infrastructure, to include Are buildings and facilities in good repair and properly
 buildings, workspaces and associated maintained (look for leaking roofs, broken windows,
utilities, contamination, infestation, etc.)? Is there sufficient space
 manufacturing equipment, and for office, production, and other operations and?
 supporting services,
determined, provided and maintained?
6.4 Work environment
6.4.a) Are requirements for the work environment In work areas, are temperature, humidity, particulate
determined? levels, bio burden, noise, and other environmental
conditions compatible with the type of product and
Is the environment adequately managed? processes? Is there appropriate and adequate lighting at
work stations?
7 Product Realization
7.1 Planning of product realization
7.1 Are product quality objectives and Are quality objectives and requirements (tolerances,
requirements determined? surface finish, workmanship standards, etc.) for the
product defined? How are they documented (drawings,
specifications, samples, etc.) and communicated
(instructions, samples, training, etc.)?
7.1 Are production processes developed and Are production processes validated or tested? Who
established? selects production equipment, and how? Are operators
trained? Are there adequate work instructions?
Are adequate equipment, operators and other
resources specific to the product provided? Select a sample of processes and ask how they were
developed and validated/tested; and review the
associated documentation (performance/validation test
results, work instructions, operator qualification
requirements, setup verification records, etc.).
7.1 Are there defined requirements for verification, Are requirements for product inspection and testing
Refs
validation, monitoring, inspection and test defined and documented for all stages of product
activities specific to the product? realization (receiving of purchased products, in-process
and final product release)? Are inspection/testing
Are the criteria for product acceptance methods and procedures defined and documented? Are
determined? acceptance criteria defined/documented? How is the
quality plan for a product communicated to production
and QC personnel (work order, procedures, checklists,
etc.)?
7.1 Are there defined requirements for records Is each specified inspection, test and monitoring activity
needed to provide evidence that production recorded? Is the scope and format of records defined
processes and resulting product meet (work orders, tags/tickets, forms, electronic data
specified requirements? collection systems, etc.)?
7.1 Are there documented requirements for risk Are there risk analysis studies for key manufacturing
management throughout product realization? processes and other product realization processes and
activities? Are records arising from risk management
Are records arising from risk management used in product and/or process design and
maintained? development? How?
7.2 Customer-related processes
7.2.1 Are product requirements defined and How are customer requirements determined and
documented, and include communicated? Are they documented? Who processes
 requirements specified by the customer this information and how is it done? Are there written
(including delivery and post-delivery); procedures/instructions and/or training?
 requirements not stated by the customer, Are there any requirements that are not stated by the
but necessary for specified or intended use; customer but are necessary? Are there any regulatory
 statutory and regulatory requirements requirements? Who determines, and how, what these
related to the product; and additional requirements are? Are they documented?
How?
 any additional requirements determined by
the company? Check a sample of orders to verify that procedures,
instructions and/or training are being followed. Interview
employees and review customer complaints to find out
whether there is history of order requirements that were
misunderstood and/or incomplete.
7.2.2 Prior to the commitment to supply product, are How are customer requirements reviewed, and by
requirements related to the product reviewed whom? Are there written procedures, instructions,
to ensure that checklists, and/or training? Are there records
 requirements are defined, demonstrating that the required reviews are being
conducted for every order?
 any discrepancies and ambiguities are
resolved, and Check a sample of orders to verify that procedures,
 company is able to meet the requirements? instructions and/or training are being followed. Interview
employees and review customer complaints and on-time
Refs
delivery records to find out any cases of orders that were

Are review records maintained? shipped late due to lack of adequate capacity to fulfill
these orders.
7.2.2 Where product requirements are not Is it permissible to take and accept verbal orders? If so,
documented (not communicated in writing), are these orders confirmed? How are such orders
are the requirements confirmed before confirmed?
accepting the order? Ask for records (copies) of the confirmations. Interview
personnel to find out whether they were consistently
trained/instructed to confirm verbal orders.
7.2.2 When changing or amending orders, are How are change orders processed? Is there a system for
relevant documents amended, and are the amending documents? Are there written instructions,
changes communicated to relevant procedures and/or training? How is information about
personnel? order changes communicated to relevant
departments/personnel within the company?
Review a sample of change orders to verify that
procedures, instructions and/or training are being
followed. See if you can uncover any past problems
caused by mishandling of change orders.
7.2.3.a Are there defined and implemented Are processes for communicating with customers
7.2.3.b arrangements for adequately defined, to include policies, assignment of
 communicating product information, and authorities and responsibilities, and methods
 handling enquiries, orders and change (procedures, instructions, training)? Are these processes
consistently implemented?
orders?
Verify that product brochures/specifications and other
product information (including the internet site) are
current.
7.2.3.c Are effective arrangements defined for Is there a system for receiving customer feedback and
communicating with customers regarding complaints (logs, complaint files, etc.)? Are
customer feedback and customer complaints, responsibilities for handling customer complaints
and advisory notices? assigned? Is there a linkage with the
corrective/preventive action system?
Is there a system for issuing advisory notices (refer to
ISO 13485 Clause 8.5.1)?
7.3 Design and development
7.3.1 Are design and development processes and Are the following processes and activities documented in
activities documented in procedures? procedures: design planning, design inputs, design
outputs, design reviews, design verification, design
validation, design transfer, and design changes?
Refs
7.3.1 Are product design activities planned, to Are design stages/activities identified? Are review,
include verification and validation activities identified? Are
 the design stages; responsibilities/authorities for each activity assigned?
 the review, verification, validation and Verify that there is a design project schedule, or at least
design transfer activities appropriate to each due dates for completion of major design phases; and
stage; and that it includes design reviews, design
 assignment of responsibilities and verification/validation, and design transfer activities. Are
authorities? interfaces with different groups or activities identified and
described?
Is the design planning output documented,
How is the design project plan documented? Are design
reviewed and approved, and is it updated as plans reviewed and approved? How are the plans
the design progresses? approved and by whom? How are the plans updated as
the design progresses? Is there specific
example/evidence of an actual design plan being
subsequently updated?
7.3.2 Are design inputs determined and How is design input documented (design project book,
documented, and include, as applicable, kickoff sheet, etc.)? Are there examples/evidence of
 functional, performance and safety specific design inputs related to safety and to regulatory
requirements according to the intended use requirements? Are risk management studies conducted
and are their results used in design inputs?
and needs of the user,
 statutory and regulatory requirements, In the design control procedure, are there documented
 information from previous similar designs, specific mechanisms for addressing incomplete,
 outputs of risk management? ambiguous or conflicting requirements?
Who is responsible for reviewing and approving the
Are there procedures for addressing
input? How is the approval documented/recorded (must
incomplete, ambiguous or conflicting design be hand-signed and dated)? How are changes and/or
input requirements? introduction of additional inputs handled?
Are design inputs reviewed for adequacy and
approved by a designated person?
7.3.3 Are design outputs provided in a form that is Is design output documented? How? Are the documents
suitable for verification against design input reviewed and approved prior to release and by whom
requirements? (must be hand-signed and dated)? How are preliminary
documents distinguished from the final released
Are design outputs documented, reviewed, documents?
and approved prior to release?
Verify that design output documents forwarded to
production, subcontractors or other consultants are
clearly identified as final or preliminary.
7.3.3 Do design outputs Is there a systematic review to verify that design output
 meet design input requirements, meets design input requirements (last design review
Refs
 provide necessary information for meeting)? Is information for purchasing, such as material
purchasing and production, specs, parts lists, etc. included? Are there clear
 contain acceptance criteria, and specifications, drawings and instructions for production?
 specify product characteristics that are Are there acceptance criteria for inspection and testing of
product? Where applicable, are safety and operation/use
essential for its safe and proper use?
features considered in the design and included in the
design output?
7.3.3 Are there design project records (Design Are the following types of documents included in the
History File) demonstrating that design was DHF:
developed in accordance with the approved design plans; design input requirements and records of
design plan and with regulatory and quality their reviews and approvals; conceptual and preliminary
system requirements? versions of design documents; studies, calculations and
analysis supporting the design; protocols, reports,
studies and other records of design verification and
validation activities; records of review and approval of
design output documents; agendas and minutes of
design reviews?
7.3.4 Are design reviews conducted to evaluate Is there a documented procedure for conducting design
whether the design is on track toward meeting reviews?
input requirements, and to identify any How many design reviews are planned for the design
problems and propose necessary actions? project? What is the role of these reviews?
Do participants at each review include all Who participates? Is there someone who does not have
functions concerned, any specialists needed, direct responsibility for the stage being reviewed?
and a person who does not have direct Are there records of the reviews? Are there records
responsibility for the design stage being demonstrating that the resulting actions are implemented
reviewed? and their effectiveness verified?
Are records of the reviews and the resulting
actions maintained?
7.3.5 Are designs verified to ensure that design What specific actions are taken to verify that design
outputs have met the design input outputs meet the design input requirements? Is this a
requirements? systematic review? Are all design inputs considered? Are
the actual verification results (calculations, data, etc.)
Are records of the verification results and any included in the record? Do the design verification records
related actions maintained? identify methods, date and the individuals performing the
verification?
7.3.6 Are designs validated to ensure that the How is the design validated? Are the initial production
resulting product is capable of meeting the units or a prototype used? Are use conditions simulated
or actual? Is software validation applicable, and, if yes,
Refs
requirements for user needs and intended was it carried out? Is risk analysis applicable (when
uses? failure of the device can create a safety hazard), and, if
yes, was risk analysis performed? Are validation records
Are records of the validation results and any maintained? Are the actual validation results (test data)
related actions maintained? included in the record? Do the design validation records
identify methods, date and the individuals performing the
validation?
7.3.7 Are design changes reviewed, verified, How are requests for design changes documented and
validated, as appropriate, and approved processed? Who reviews and approves requests for
before their implementation? design changes? Is the effect of change on the overall
product considered (ask for specific examples)? Who
Are changes evaluated with respect to their decides, and how, what reviews, verifications and
effect on constituent parts and on product validations need to be done for a design change? Are
already delivered? results of reviews, verifications and validations included
in design change records?
Are records of changes maintained, to include
their reviews/evaluations and any necessary
actions?
7.4 Purchasing
7.4.1 Are suppliers and the supplied product How are suppliers controlled: initial selection evaluations,
adequately controlled to ensure that the ongoing monitoring, audits of supplier’s QMS and/or
product conforms to specified purchase manufacturing processes, and requests for corrective
requirements? actions?
How is purchased product controlled: review of quality
records (SPC charts, inspection reports, lab test results,
etc.), receiving inspection? Who makes these decisions?
7.4.1 Are suppliers evaluated, and is supplier Are suppliers evaluated and reviewed before they are
selection based on their ability to provide approved? What are the scope, extent and criteria for
products conforming to specified evaluating and approving suppliers? Who decides? How
requirements? is the approval documented (an approved vendor list)?
Are there records of initial supplier evaluations?
Are supplier evaluation and selection
Select randomly and review a sample of supplier
(approval) criteria established? evaluation and monitoring files. Is their approval status
Is there an approved supplier list? clearly authorized? Is their performance consistently
monitored? In the event of nonconforming deliveries, are
Are records or supplier evaluations and they required to implement corrective actions? Is there a
related actions maintained? follow up?
7.4.2 Do purchasing specifications include, where Where appropriate, are there requirements for
appropriate, certificates, inspection reports, SPC data, approval of
 requirements for approval of product, samples, etc. included in purchasing documents? Are
there any requirements with regard to supplier’s quality
Refs
procedures, processes and equipment; management system?

 requirements for approval of personnel, and Review a sample of purchase orders, especially those
 quality management system requirements? where the product is expected to come with certificates.
Do purchasing documents include an In purchasing documents, is there an agreement that
agreement obliging suppliers to give supplier must notify the buyer of any changes to the
notification of changes to their product or supplied products or services? When such notification is
service? received, who evaluates, and how, whether the changes
have an affect on the quality of the finished device, and
whether they are acceptable or not. How is this
evaluation and its result documented?
7.4.2 Are purchasing specifications (data) approved How is adequacy of purchasing documents ensured? Are
before they are forwarded to suppliers? the documents reviewed and approved before release?
Are there standard, pre-approved, specifications in the
system? What other methods are used?
See if you can uncover any past problems caused by
errors or omissions in purchasing documents.
7.4.3 Are there established and implemented What is being done to ensure purchased product
activities necessary for ensuring that conformity: certificates or inspection reports from supplier
purchased products meet specified or independent labs, SPC records, Cpk or Ppk
requirements? requirements, in house receiving inspection, supplier’s
QMS certification?
Select a sample of purchased product categories and
investigate for each what activities or arrangements are
planned to ensure their conformity, how this plan is
documented and communicated, and whether it is
consistently implemented.
7.4.3 When intending to perform product verification Is this relevant? If so, review a sample of purchase
at supplier premises, are verification orders or contracts to ascertain that product verification
arrangements and methods defined in the and release methods are defined in the purchasing
purchasing documents? documents.
7.5 Production and service provision

7.5.1.a) Are adequate product specifications Are adequate product specifications (drawings, parts
available? lists, math data, standards, samples, etc.) available to
production personnel? Are the specifications approved
and are they current?
Interview production personnel and ask how they know
what to make and what the requirements are for
workmanship standards (appearance, precision, surface
Refs
quality, color, etc.).
7.5.1.b) Are adequate production specifications Are there adequate instructions for operating machines
available, to include, as applicable: and processes? Who decides and how (criteria) whether
procedures, requirements, work instructions, work instructions shall be established for a given
reference materials, and reference process/work station? Are process parameters
(temperature, pressure, speed, etc.) defined? Where
measurement procedures?
process operators are required to make measurements,
are there measurement procedures available?
Ask operators what should the settings be for various
parameters in their processes, and how they know this.
What are the lower and upper limits for the parameters?
What should they do, and how, when a parameter
(temperature, for example) goes over limit?
7.5.1.f) Are release, delivery and post-delivery Are there defined responsibilities for these activities?
activities implemented? How are requirements documented (procedures, work
orders, servicing requisitions, etc.)?
Are delivery-related activities defined in procedures, work
instructions, training, etc.? Are appropriate records
maintained?
7.5.1 Are there Device History Records (Batch Who determines the exact scope of records included in
Records) for each manufactured batch, lot or the Device History Records (DHR), and how is the scope
unit? documented and communicated (procedure, traveler,
work order form, etc.)? Is the DHR complete, e.g.,
Are the following records included in the includes all required categories of records? Are DHR
DHRs: records properly identified to specific batches, lots or
 the date of manufacture, quantity units; and are the records easily retrievable?
manufactured, and quantity released for
distribution;
 the acceptance records demonstrating that
the device is manufactured in accordance
with the DMR;
 the primary identification label and labeling
used for each production unit;
 any device identifications and control
numbers used; and
 other traceability information to the extent
specified?
7.5.1.2.3 Applies only where servicing is a specified Is this requirement applicable?

requirement:
Is servicing performed by the company or its authorized
Refs
Are there adequate instructions and agent? Are there documented servicing instructions? Are
procedures for performing servicing and for servicing verification procedures included? Are there
verifying that servicing meets the specified forms or other means provided for establishing servicing
requirements? reports?
How is it ensured that servicing technicians use the latest
Are there documented service reports that
(correct) revision? Are servicing technicians
include: trained/qualified?
 name and identification (serial number) of
the device serviced, Who and how often analyzes servicing reports to detect
recurring quality problems? What statistical methodology
 date of service,
is used? Are corrective or preventive actions initiated to
 identification of the individual servicing the address problems?
device,
 description of the service performed, and
 test and inspection data?
Are service reports analyzed with appropriate
statistical methodology to detect recurring
quality problems?
7.5.2.1 Where the results of a production process Who is responsible for identifying processes requiring
cannot be fully verified by subsequent validation, and deciding what shall be the scope and
inspection and test, are these processes approval criteria for the validation? Are validation results
validated? documented? Are the results reviewed, approved and
signed by the individual approving the process and
Are validation results documented and associated equipment?
approved? Are there documented qualification (training)
Are appropriate arrangements established for requirements for process operators? Are process
these processes, including parameters monitored and controlled? Are the
 criteria for their review and approval, monitoring/control data recorded (including date, method,
data, and identification of equipment and process
 monitoring and control of process operator)?
parameters,
 personnel qualifications, and Are processes revalidated (where appropriate)?
 use of specific methods and procedures.
Are there process monitoring and control
records for these processes, including date,
methods, data, equipment, and the process
operators?
When changes or process deviations occur,
are these processes revalidated? Are the
results documented and approved?
7.5.2.1 Where computer software is used for Is computer software used for production (in automated
Refs
production and/or service provision automated processes)? How was the software developed? For
processes), are such software applications commercial, off-the-shelf software, is there any evidence
validated prior to initial use? that the software was properly validated by its
developer? If developed in house or by a consultant, was
Are validation results documented? it formally validated? Are validation results documented
in reports? Are the reports available?
Are all software changes also validated?
Are all software revisions validated (at least partially to
validate the changes)?
7.5.3.1 Are products suitably identified throughout Is there a documented procedure instructing how to
product realization to prevent mix-ups? identify product throughout product realization?
Are returned medical devices identified to

distinguish them from conforming product?
7.5.3.2.1 Are there procedures or specifications defining How is it documented what production records are
the extent of product traceability and the established and maintained, and how are these records
records required? correlated with specific production lots or batches? What
criteria are used in deciding the extent of traceability, and
who makes this decision?
Review a sample of production records and verify the
integrity of the traceability system. Verify that rework
operations (diluting, mixing, reprocessing, etc.) do not
compromise the integrity of the traceability system.
7.5.3.3 Throughout all product realization stages, are Are there specific product identification methods defined
products identified with respect to their for conforming and nonconforming product at receiving?
acceptance status to indicate the conformity or In production areas? At individual work stations and
nonconformity of the product? during processing? During servicing?
What other controls are used to ensure that only product
that has passed the required acceptance activities is
distributed, used and installed?
7.5.4 When customer provides product for use or Is this relevant? Are customers supplying any materials,
incorporation into the final product, is products, templates, molds, measuring devices, etc.?
customer property identified, verified, Are customers providing any intellectual property, such
protected and safeguarded? as drawings, specifications, procedures, health
information, etc?
Are customers notified in any event of loss,
If so, look for identification showing that the
damage or unsuitability of their property? product/document belongs to customer. Investigate
whether there were any events of loss, damage, or
unsuitability of customer property and whether this was
promptly reported back to the customer.
Refs
8 Measurement, analysis and improvement

8.1 General
8.1 Are measurement, analysis and improvement Are all product and process verification activities defined
processes planned and implemented to (in drawings, specifications, procedures, control plans,
 demonstrate conformity of the product, etc.)? What measurements/monitoring are planned to
 ensure conformity of the QMS, and ensure conformity of the QMS (internal audits)? What
measurements are planned to monitor the effectiveness
 maintain the effectiveness of the QMS? of the QMS (reject rates, on-time delivery, customer
satisfaction, etc.)?
8.1 Are applicable methods determined, including How are measuring /analysis methods defined (work
statistical techniques, for the measurement, instructions, procedures, standards, etc.)? Are statistical
analysis and improvement processes? techniques used in inspection (sampling plans), in
process control (SPC), in qualifying measurement
Are sampling plans based on valid statistical systems (gauge R&R), etc.)?
rationale? Are they documented?
Are sampling plans based on statistical theory or
Are there procedures to ensure that sampling recognized standards? Is it known what probabilities of
methods are adequate and that when changes finding nonconformity are associated with the sampling
occur the sampling plans are reviewed? plan used?
Is there a procedure requiring that sampling plans be
reviewed in response to changes and events (process
changes, increased risks, increase/decrease in identified
nonconformities, etc.)?
8.2 Monitoring and measurement
8.2.1 Are methods determined for obtaining and What information is used to determine whether customer
using information related to whether the requirements have been met (rates of nonconforming
company has met customer requirements? product shipped, on-time delivery performance, etc.)?
How is this information obtained (returned product,
Is there a system for obtaining and analyzing customer complaints, shipping records, etc.)? How
customer feedback to provide early warning of often? How is this information processed and used (for
quality problems? example, statistical analysis reported to management
review)?
Is customer feedback used as input into the
corrective and preventive action processes? Are corrective or preventive actions raised in response to
customer feedback?
8.2.2 Are internal audits planned and conducted to Is there an internal audit plan/schedule? Are status and
determine whether the quality management importance of a process considered when planning
system conforms to requirements and whether audits (increased audit frequency for important and/or
it is effectively implemented and maintained? problematic processes/areas)? Are all relevant
processes and areas covered by the audit
plan/schedule? Are all applicable requirements of ISO
Refs
13485 covered?
8.2.2 Are audit criteria, scope, frequency and Is there a written procedure for internal auditing? Are
methods defined and documented? auditors trained? How are audit criteria and scope
documented (standard, checklists, etc.)? Are there any
Is the audit process objective and impartial? records of what specific evidence was reviewed (usually
auditor notes on checklists)? How are nonconformities
documented? Are auditors impartial and independent
from the work being audited?
8.2.2 Are corrective actions taken to eliminate Are specific responsibilities assigned for corrective
detected nonconformities and their causes? actions to eliminate nonconformities and their causes?
Are corrective actions documented/recorded? Is there a
Are corrective actions followed up to verify the follow up to verify the implementation and effectiveness
actions taken and to report the verification of corrective actions?
results?
8.2.3 Are quality system processes monitored and Are all specified process monitoring activities
measured? implemented? Are process monitoring methods and
acceptance criteria documented. Are results recorded?
When planned results are not achieved, are
corrections and corrective actions taken to When processes are changed, corrected or adjusted to
fix problems or improve performance, are these
ensure conformity of the product?
corrections documented? How?
8.2.4 Are all product acceptance activities (in- How are requirements for inspection and testing activities
process and final inspections and tests) documented (control plans, work orders, travelers,
carried out in accordance with planned procedures, etc.)? How are they communicated to
arrangements and documented procedures? production and QC personnel?
How are in-process inspections and tests recorded?
Are in-process products controlled to prevent
their use (further processing) before the What measures are implemented to prevent product from
required acceptance activities are completed? moving to the next processing stage before the required
in-process inspections are completed? Is the identity of
the inspecting/testing personnel recorded?
Select a sample of production/QC records and verify that
all specified inspections were performed and the results
recorded.
8.2.4 Are there effective measures implemented to Are product release activities documented in a
prevent release of product for distribution procedure? Who verifies, and how, that all specified
before production and acceptance activities have been
 all activities required in the DMR are completed? Is there a checklist for the review of the
associated data and documentation? How are results of
completed,
this review recorded? Are product release authorizations
 the associated data and documentation is
Refs
reviewed, and dated and signed?

 the release is dated and is authorized by a How is the released product identified (distinguished
signature of a designated person(s)? from product that has not yet been released)? What
measures are implemented to ensure that product that
has not been formally released is not used or shipped?
Ask personnel in inventory management and shipping
functions how do they know (and verify) what is the
release status for any given product (batch).
Select a sample of production/QC records (and/or
product staged for shipping) and verify that all product
release activities were carried out as planned.
8.2.4 Are acceptance and release records For each run, lot or batch of finished devices, are there
maintained and include complete records of all inspections, tests and other
 identification of acceptance activities release activities and their results? Are release records
performed and, where appropriate, the dated and signed by the individuals performing the
acceptance activities? Are these records included in the
methods and equipment used, DHR? How long are they maintained? Are they easily
 the results, and retrievable?
 dates and signatures of individual
performing the acceptance activities?
Are these records included in the DHR?
8.3 Control of nonconforming product
8.3 Are nonconforming products properly Is there a procedure for identifying, controlling and
identified and controlled to prevent their dealing with nonconforming product? Are nonconforming
unintended use or delivery? products segregated? Quarantined? How?
8.3 Are nonconforming products evaluated to Are responsibilities assigned for making NC product
determine the nature and causes of the disposition decisions? Are these decisions documented?
nonconformity and to disposition whether to How is this documentation associated with the actual
 eliminate the nonconformity (rework), product (control number, special stickers/tag, copy of the
NCR report attached to the product, etc.)? When
 authorize their use, release or acceptance
accepting NC products by concession, is there an
(accept as-is by concession), or evaluation carried out whether the product continues to
 preclude their original use or application meet regulatory requirements? Who has the authority to
(scrap or re-grade)? accept NC products by concession?
Does the evaluation include the determination Is there a determination whether external organizations
of a need for an investigation and notification or individuals should be involved in the investigation of
of the persons or organizations responsible for the nonconformity? How is it documented?
the nonconformity?
Refs
8.3 Are records maintained of the nonconformities Are there records describing the nature of
and any subsequent action taken? nonconformities and actions taken? Are they traceable to
specific product batches or shipments? How long are
these records retained?
8.3 Are actions taken to mitigate the effects of What actions are taken when product nonconformity is
nonconformity when a nonconforming product detected after delivery? Who decides what needs to be
has been shipped (or use has started)? done? Are these decisions documented? How? Is there
a follow up to determine whether the actions were
completed and were effective?
8.3 If product needs to be reworked, are the Are there documented rework instructions? Are they
rework processes documented and approved? approved by the same authorization and approval
procedure as the original work instructions?
Are reworked and repaired products re-
verified to demonstrate their conformity? Are reworked or repaired products re-verified (re-
inspected, re-tested, etc.) to their original specification?
Is a determination made whether there are Are the results recorded? Is reworked product formally
any adverse effects of rework upon the released for use or delivery?
product? Is this determination documented? Is Is there a documented determination of any adverse
it included in the DHR? effects of rework? Who makes this determination?
Are rework records (type and extent of rework, product
acceptance activities, etc.) included in the DHR?
8.4 Analysis of data
8.4 Are appropriate data on the performance of What specific data and information are collected
the quality management system collected and regarding customer feedback? Are data on product
analyzed, to include nonconformity rates collected? Are there data on trends
 customer feedback, of characteristics of processes and products (e.g., on
how these characteristics vary within the specified
 product conformity,
tolerance)? What specific supplier performance data are
 characteristics and trends of processes and being systematically collected (on-time delivery,
products (including opportunities for nonconformity rates, etc.)?
preventive actions), and
Is it determined how the quality performance data is to
 suppliers?
be collected and by whom? How the data is processed,
analyzed and used?
8.5 Improvement and corrective/preventive action
8.5.1 Are changes necessary to maintain the Is there a process for identifying the need for changes to
suitability and effectiveness of the quality the quality system? How are the quality policy and quality
system identified and implemented, through objectives used in this process? How are audit results
the use of and analysis of data used? What specific improvements
have been implemented through the current (last) cycle?
 quality policy
Is there a systematic process for implementing
Refs
 quality objectives, improvements and for verifying their effectiveness

 audit results, (objective implementation projects, corrective and
 analysis of data, preventive actions, etc.)?
 corrective and preventive actions, and
 management reviews?
8.5.1 Is there a procedure for issue and Is the procedure for issuing advisory notices and product
implementation of advisory notices? recall sufficiently comprehensive, detailed and practical
to implement? Is the authority and responsibility for
Is this procedure capable of being making recall decisions clearly defined? How much time
implemented at any time? is needed to implement the procedure during a
weekend? Was the procedure ever implemented? Are
there any records demonstrating the effectiveness of the
procedure?
8.5.1 Is there a procedure for receiving, reviewing Who is responsible for processing complaints? Are these
and evaluating complaints? responsibilities formally documented? Is there a form for
documenting oral complaints? Who is responsible for
Are all complaints, including oral complaints, making the determination whether a complaint
documented? represents a reportable event? Is every complaint
evaluated in this regard? Is the determination
documented (checkbox on the complaint form)?
8.5.1 Are complaints reviewed and evaluated to Who is responsible for making the determination whether
determine whether an investigation and/or a complaint should be investigated and whether a
corrective action are necessary? corrective or preventive action is appropriate? Is every
complaint evaluated in this regard? Is the determination
Are all complaints involving the possible documented (checkbox on the complaint form)?
nonconformity of a device investigated (unless
Are all complaints associated with device nonconformity
a similar investigation was already investigated?
performed)?
Is a documented justification established when a
When no investigation and/or corrective action decision is made not to investigate and/or not to
are made, is there a record with a justification implement a corrective or preventive action?
why investigation was not required, and with
the name of the person who is responsible for
this decision?
8.5.2 Are actions taken to eliminate causes of How many corrective actions have been initiated through
8.5.3 existing and potential nonconformities to the period? How many are open? How long have they
prevent recurrence? been open? Are there due dates?
8.5.2 Is there a documented procedure for Is there a documented procedure for corrective actions?
8.5.3  analyzing sources of quality and quality How existing and potential nonconformities are identified
and reviewed (nonconforming product/process reports,
Refs
performance data to identify existing and customer-returned product, product returned for
potential causes of nonconforming product servicing, customer complaints, etc.)? How are causes
or other quality problems; determined? Are they documented (CAR form?) How is
 investigating the causes of nonconformities; the need for corrective actions determined (authorized
personnel/managers issuing CARs)? How are the
 identifying and implementing the actions
required actions determined and recorded (in a CAR
needed to correct and prevent recurrence of form)? Are corrective actions followed up and are their
nonconforming product or other quality results recorded? Are CARs implemented and closed out
problems; in a timely manner? Are corrective/preventive actions
 verifying the effectiveness of corrective and reviewed (Management Review)?
preventive actions;
 reporting quality problems and associated
corrective and preventive actions to
management review,
 maintaining records of corrective and
preventive actions and their results?

ISO 13485 Internal Audit Checklist

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Read this document in other languages

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 13485 Internal Audit Checklist

Uploaded by

Copyright:

Available Formats

INTERNAL AUDIT CHECKLIST

Issued by: QA Date: Revision: A

4 Quality Management System

quality system; and

 Is it communicated and understood continuing suitability?

delivery records to find out any cases of orders that were

procedures, processes and equipment; management system?

7.5 Production and service provision

quality, color, etc.).

7.5.1.2.3 Applies only where servicing is a specified Is this requirement applicable?

Are returned medical devices identified to

8 Measurement, analysis and improvement

reviewed, and dated and signed?

 quality objectives, improvements and for verifying their effectiveness

You might also like