ISO 13485 Internal Audit Checklist [PDF]

Zitiervorschau

INTERNAL AUDIT CHECKLIST Issued by: QA ISO13485

Requirements

4

Quality Management System

4.1

General requirements

Date: What to look for and how

4.1

Is the quality management system documented, implemented and maintained in accordance with requirements of ISO 13485?

Are processes needed for the quality management system identified and established (process map)? Is the sequence and interaction between these processes determined (process map)? Are criteria and methods for the operation and control of quality system processes established (operational procedures)? Are required resources available? Are quality system processes monitored and measured (internal audit, customer feedback, manufacturing process performance, etc.)?

4.1

Are outsourced processes adequately controlled?

How are outsourced processes controlled? Are outputs of outsourced processes verified? Are subcontractors and suppliers required to operate and maintain quality management systems (ISO 9001, for example)?

4.2 4.2.1 4.2.1

Documentation requirements General Are the following types of documents established, maintained and controlled:  quality policy and quality objectives;  quality manual;  operational procedures;  device specifications including drawings, composition, formulation, components, software etc. (Device Master Record);  production process specifications including equipment, production methods and procedures, operator (work) instructions, production environment specifications, etc. (Device Master Record);  quality assurance procedures and specifications including control plans, inspection equipment and procedures, acceptance criteria, etc. (Device Master Record);  maintenance and servicing procedures and methods (Device Master Record);  other documents needed to ensure the effective planning and operation of the

Are quality policy and quality objectives documented? Where? Is there a quality manual? Operational procedures? Are drawings, specifications, work instructions, work orders, control plans, etc., issued and maintained as controlled documents (as required in 4.2.3)? Are electronic documents (computer files) backed up?

Revision: A Documents checked and auditor notes

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

quality system; and  records (ref to ISO 13485 4.2.4)?

4.2.2 4.2.2

4.2.3 4.2.3

Quality manual Does the quality manual include:  the scope of the quality management system and exclusions,  operational procedures or references to them,  description of the interaction between the processes of the quality system, and  outline of the structure of the quality system documentation?

Is the quality manual addressing all relevant requirements of ISO 13485? Are exclusions from Section 7, Product Realization, documented in the quality manual (if any)? Are operational procedures included or referenced in the quality manual? How is the interaction between the processes of the quality system documented (process map, flowcharts, etc.)? How is the structure of the quality system documentation outlined in the manual?

Control of documents Is there a written procedure defining the controls needed to  review and approve documents prior to issue,  review, update and re-approve documents,  identify changes and current revisions of documents,  make relevant and current documents available at points of use,  ensure that documents are legible and identifiable,  identify and control the distribution of documents of external origin, and  identify retained obsolete documents and prevent their unintended use? Is the procedure fully implemented?

Is there a written procedure for control of documents? Are controlled documents reviewed and approved? How the approval is evidenced (signature)? Is there a process for reviewing, updating and re-approving documents? Are documents identified with their revision level? How changes are identified (change brief, highlighted, etc.?) What measures are implemented to ensure that relevant and current documents are available at points of use (distribution lists, current master lists, etc.)? Are documents uniquely identified (unique title and /or codenumber) and are they legible? Is there a process for receiving, reviewing, approving (for use) and distributing documents of external origin (from customers, regulators, suppliers, etc? When obsolete documents are retained, is it for a specific, stated reason? Are obsolete documents clearly marked to distinguish them from current revisions? What other measures are implemented to prevent the unintended use of obsolete documents?

4.2.3

Is the period for retention of obsolete controlled documents defined?

Is a retention period defined for each type of controlled documents? How is this period determined? Is the retention period at least equal to the lifetime of the device? Is it coordinated with the retention period for corresponding records? Are regulatory requirements considered?

4.2.3

Are document changes reviewed and approved by the same function that performed

Is there a clearly stated requirement that changes to documents must be reviewed and approved by the same

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 2 of 23

INTERNAL AUDIT CHECKLIST Refs

4.2.4

Requirements

What to look for and how

the original review and approval (unless specifically designated otherwise)?

function that issued the original document, or by another, explicitly designated function? Is it implemented?

Are change records maintained, including description of the change, identification of the affected documents, approval signatures and date, and when the change becomes effective?

Are changes in documents (mostly product and process specifications) backed by design change and/or process change records, such as engineering change notices? How is it defined/documented when document changes become effective?

Control of Records

4.2.4

Is there a documented procedure for the identification, storage, protection, retrieval, retention, and disposition of records?

Are there documented instructions how to identify, organize, store, protect, and retrieve records? Are storage locations for records defined?

4.2.4

Are retention periods for records defined?

Is a retention period defined for each type of record? How is this period determined? Is the retention period at least two years or equivalent to the lifetime of the device, whichever is greater? Are regulatory requirements considered?

Are records retained for at least the period of time equivalent to the expected life of the device, and no less than 2 years? 4.2.4

Are records organized and maintained to ensure that they remain legible, readily identifiable and retrievable, and to prevent deterioration and loss? Are records accessible to the regulatory inspections?

Are records stored in dry, clean locations to minimize deterioration? Is there a system for organizing the records? Are boxes, drawers, binders that hold records properly identified? Are records easily retrievable (test by asking for retrieval of specific records)? Are records kept in a location that is accessible to regulatory inspections?

Are electronic records backed up?

Are electronic records backed up? Are there specific schedules, instructions, etc. for backing up data? Where are the back-up media (tapes, disks, etc.) kept?

4.2.4

For each type of device, is there a Device Master Record (DMR) including, or referring to appropriate device specifications, production process specifications, quality assurance procedures, maintenance and servicing procedures and methods?

How is the DMR organized? Is it a file containing the actual specifications documents, or is it a list referring to these documents and their locations? Is the DMR complete, e.g., includes all required categories of documents? Who decides, and how, which documents are included in the DMR? Are all documents included in the DMR correctly identified, reviewed, approved and otherwise controlled? Are the DMR documents the same (and the same revisions) as those used in production?

4.2.4

Are Device History Records (DHR) maintained for each manufactured batch, lot or unit?

Are DHR records properly identified to specific batches, lots or units; and are the records easily retrievable? (For

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 3 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

(Refer also to ISO 13485 Clause 7.5.1)

other questions refer to 7.5.1)

4.2.4

Are Quality System Records (QSR) maintained, including current and obsolete quality system manuals and procedures, and records of quality system activities such as management reviews, corrective and preventive actions, internal audits, etc.?

How is it determined and documented what quality system records are maintained (in QMS Manual and lists of procedures and quality forms, and in operational procedures and work instructions)? Are retention periods specified for obsolete quality system documentation and for quality system records?

4.2.4

Are sufficient records maintained to provide evidence of conformity and effectiveness of the quality management system?

Is there a list (or other documented specification) of quality system records that are maintained by the company? Are the records sufficient to demonstrate product and process conformity, and the conformity and effectiveness of the quality management system and its implementation?

5

Management Responsibility

5.1

Management Commitment

5.1

5.2 5.2

5.3 5.3

Is the top management  communicating to the organization the importance of meeting customer and other applicable requirements,  establishing the quality policy,  establishing quality objectives,  conducting management reviews, and  ensuring availability of resources?

How is importance of meeting customer and other requirements communicated? Do employees understand the consequences of failing to meet requirements? Is there a quality policy? Are quality objectives defined? Are management reviews being conducted regularly? Are adequate resources necessary for the quality system provided?

Customer Focus Is the top management ensuring that customer requirements are determined and are met?

What measures are implemented to ensure that customer requirements are determined and met (processes, procedures, training, monitoring, auditing, etc.)?

Quality Policy Is there a documented quality policy; and  Is it appropriate to the purpose of the organization?  Does it include a commitment to comply with requirements and maintain the effectiveness of the quality management system?  Does it provide a framework for establishing the quality objectives?

Is the quality policy appropriate (relevant to the types of products, type of market, customer expectations, etc.)? Does it include explicit commitment to comply with requirements and maintain (or improve) the effectiveness of the quality system? Is it related to quality objectives? Do employees know the meaning of the quality policy and understand how they can contribute to achieving the policy? Is the quality policy periodically reviewed for

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 4 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements  Is it communicated and understood throughout the organization?  Is it periodically reviewed for continuing suitability?

5.4 5.4.1

Are measurable quality objectives established?

Is the quality system planned to meet requirements and quality objectives? Is the integrity of the quality system maintained when changes are implemented?

5.5 5.5.1

How many objectives are established? Are they measurable? Are methods to measure progress defined? Who is responsible for doing this? Is anyone responsible for implementation of the objectives? What happens when an objective is achieved? What is the mechanism for establishing new objectives? How is the quality system planned and by whom? How is the plan documented (quality manual, gap analysis checklist, etc.)? When changes are implemented, is there an evaluation of the impact of the change on the overall system?

Responsibility, authority and communication Are responsibilities and authorities defined, and are they communicated throughout the organization? For personnel who manage, perform and verify work affecting quality, is their interrelation defined, and do they have sufficient independence and authority to perform these tasks?

5.5.2

continuing suitability?

Planning

Are the objectives consistent with the quality policy? 5.4.2

What to look for and how

Is there a management representative for the quality management system? Are his/her responsibilities defined, to include:  ensuring that processes needed for the quality system are established, implemented and maintained,  reporting to top management on the performance of the quality system and need for improvement, and  promoting the awareness of regulatory and

Is there an organizational chart (or other type of specification of organizational responsibilities and authorities)? Does it clearly show who is responsible for processes needed for the quality system? Do operational procedures and work instructions assign responsibilities for performing activities that are defined in these documents? How are responsibilities and authorities communicated to employees (quality manual, procedures, training)? Do personnel who verify the quality system, process, and product conformity (mostly auditors and inspectors) have sufficient independence and authority? Who is appointed as the management representative? How is this appointment documented? Are responsibilities and authorities of the representative defined? Does the representative have sufficient authority to ensure that quality system is established, implemented and maintained? What evidence is there that the representative reports to top management on the performance of the quality system (management review meetings)? What examples are there of the representative promoting awareness of regulatory and customer requirements?

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 5 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

customer requirements? 5.5.3

Are appropriate communication processes established within the organization? Are information and data regarding the effectiveness of the quality system regularly communicated?

Are quality system policies and requirements, product quality requirements (specifications), quality system effectiveness/performance data and results, product quality data, etc., adequately communicated? What specific processes (methods) are used to communicate this information and data (QMS documentation, regularly scheduled review meetings, buletin boards/newsletters, training, etc.)? Are these processes fully implemented and are they regularly maintained and used? Are there procedures/instructions defining these communication processes? Are there communication processes for employees to report product/system quality problems, and to suggest improvements to the quality system?

5.6

Management Review

5.6.1

Is the quality management system periodically reviewed to ensure its continuing suitability, adequacy and effectiveness, and to identify opportunities for improvement?

How often are management reviews conducted? Who participates? Is there an agenda prepared for each review? How are the reviews recorded (minutes of meetings)?

5.6.2

Does the input into management reviews include:  results of audits,  customer feedback,  process performance and product conformity,  preventive and corrective actions,  actions from previous reviews  changes,  recommendations for improvement, and  new or revised regulatory requirements?

Are all required inputs provided for each review? Are there records specifically demonstrating that each input was provided and considered? Have all actions from the preceding review been closed out? What happens to actions that have not been fully completed? How, for example, are recommendations for improvement input into the review? Who is responsible for making the recommendations? How are those recommendations considered? Who decides which recommendations are accepted and which are rejected?

5.6.3

Does the output from management reviews include decisions and actions related to:  improvements of the quality system and its processes,  improvements of product related to customer requirements, and

In the last two management reviews, what specific decisions and actions were taken that relate to improvement of the quality system and the product? How were they implemented? Were there any special resources provided to implement the improvements? Was the implementation verified?

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 6 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

 resource needs?

6

Resource Management

6.1

Provision of resources

6.1.a)

Are adequate resources provided to implement and maintain the quality management system?

Are there sufficient qualified personnel assigned to maintain the QMS? Are document changes (revisions), corrective/preventive actions, and customer complaints processed in a timely manner? Are internal audits, management reviews, training and other such activities conducted at prescribed intervals and/or in accordance with established schedules?

6.1.b)

Are adequate resources provided to meet regulatory and customer requirements?

Are there sufficient equipment and machines to perform all specified product realization processes and monitoring/measurement activities? Are the equipment and machines adequate (qualified/calibrated where appropriate)? Are there sufficient qualified personnel to operate these processes? Are customer orders shipped on time?

6.2 6.2.1 6.2.2.

Human resources Do personnel performing work affecting product quality have appropriate education, training, skills and experience? Are adequate records of their qualifications maintained?

6.2.2.a 6.2.2.b 6.2.2.c

Are competence requirements for personnel defined and training needs identified?

Are competence (education, training, skills and/or experience) records maintained for each employee? What is the format of these records and who maintains them? How do managers/supervisors responsible for assignment of work activities know who is competent to perform a particular job (training matrix)?

Is training provided, or are other actions taken to satisfy the competence requirements?

Are there defined competence (education, training, skills and/or experience) requirements for each job/position affecting product quality? How are they documented? Are training needs defined (who needs what training to meet competence requirements)?

Is the effectiveness of training (or other actions taken) evaluated?

Are new employees formally trained for new jobs/positions? How? Is this training recorded? After completion of training, how is the effectiveness of the training evaluated? Is it done for all training provided, without exceptions?

6.2.2.d

Are personnel made aware of the relevance and importance of their work and how they contribute to the achievement of quality objectives?

Are personnel aware of the quality objectives relevant to their jobs/positions and do they know how, specifically, they can contribute to reaching these objectives? Are personnel thought what specific defects can result

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 7 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements Are personnel made aware of device defects which may occur from the improper performance of their specific jobs? Are personnel who perform verification and validation activities made aware of defects and errors that may be encountered as part of their job functions?

6.3 6.3

6.4 6.4.a)

What to look for and how when they don’t do their jobs correctly? Are personnel aware of specific consequences of product deficiencies and failures (safety, environmental, customer dissatisfaction, etc.)? Are photographs, drawings, samples or other aids showing the types of defects that may be encountered available to personnel performing product verifications (inspection and testing)?

Infrastructure Is the needed infrastructure, to include  buildings, workspaces and associated utilities,  manufacturing equipment, and  supporting services, determined, provided and maintained?

Are buildings and facilities in good repair and properly maintained (look for leaking roofs, broken windows, contamination, infestation, etc.)? Is there sufficient space for office, production, and other operations and?

Work environment Are requirements for the work environment determined? Is the environment adequately managed?

In work areas, are temperature, humidity, particulate levels, bio burden, noise, and other environmental conditions compatible with the type of product and processes? Is there appropriate and adequate lighting at work stations?

7

Product Realization

7.1

Planning of product realization

7.1

Are product quality objectives and requirements determined?

Are quality objectives and requirements (tolerances, surface finish, workmanship standards, etc.) for the product defined? How are they documented (drawings, specifications, samples, etc.) and communicated (instructions, samples, training, etc.)?

7.1

Are production processes developed and established?

Are production processes validated or tested? Who selects production equipment, and how? Are operators trained? Are there adequate work instructions?

Are adequate equipment, operators and other resources specific to the product provided?

7.1

Are there defined requirements for verification,

Select a sample of processes and ask how they were developed and validated/tested; and review the associated documentation (performance/validation test results, work instructions, operator qualification requirements, setup verification records, etc.). Are requirements for product inspection and testing

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 8 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements validation, monitoring, inspection and test activities specific to the product?

What to look for and how

Are the criteria for product acceptance determined?

defined and documented for all stages of product realization (receiving of purchased products, in-process and final product release)? Are inspection/testing methods and procedures defined and documented? Are acceptance criteria defined/documented? How is the quality plan for a product communicated to production and QC personnel (work order, procedures, checklists, etc.)?

7.1

Are there defined requirements for records needed to provide evidence that production processes and resulting product meet specified requirements?

Is each specified inspection, test and monitoring activity recorded? Is the scope and format of records defined (work orders, tags/tickets, forms, electronic data collection systems, etc.)?

7.1

Are there documented requirements for risk management throughout product realization?

Are there risk analysis studies for key manufacturing processes and other product realization processes and activities? Are records arising from risk management used in product and/or process design and development? How?

Are records arising from risk management maintained?

7.2 7.2.1

7.2.2

Customer-related processes Are product requirements defined and documented, and include  requirements specified by the customer (including delivery and post-delivery);  requirements not stated by the customer, but necessary for specified or intended use;  statutory and regulatory requirements related to the product; and  any additional requirements determined by the company?

How are customer requirements determined and communicated? Are they documented? Who processes this information and how is it done? Are there written procedures/instructions and/or training?

Prior to the commitment to supply product, are requirements related to the product reviewed to ensure that  requirements are defined,  any discrepancies and ambiguities are resolved, and  company is able to meet the requirements?

How are customer requirements reviewed, and by whom? Are there written procedures, instructions, checklists, and/or training? Are there records demonstrating that the required reviews are being conducted for every order?

Are there any requirements that are not stated by the customer but are necessary? Are there any regulatory requirements? Who determines, and how, what these additional requirements are? Are they documented? How? Check a sample of orders to verify that procedures, instructions and/or training are being followed. Interview employees and review customer complaints to find out whether there is history of order requirements that were misunderstood and/or incomplete.

Check a sample of orders to verify that procedures, instructions and/or training are being followed. Interview employees and review customer complaints and on-time

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 9 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements Are review records maintained?

7.2.2

7.2.2

What to look for and how delivery records to find out any cases of orders that were shipped late due to lack of adequate capacity to fulfill these orders.

Where product requirements are not documented (not communicated in writing), are the requirements confirmed before accepting the order?

Is it permissible to take and accept verbal orders? If so, are these orders confirmed? How are such orders confirmed?

When changing or amending orders, are relevant documents amended, and are the changes communicated to relevant personnel?

How are change orders processed? Is there a system for amending documents? Are there written instructions, procedures and/or training? How is information about order changes communicated to relevant departments/personnel within the company?

Ask for records (copies) of the confirmations. Interview personnel to find out whether they were consistently trained/instructed to confirm verbal orders.

Review a sample of change orders to verify that procedures, instructions and/or training are being followed. See if you can uncover any past problems caused by mishandling of change orders.

7.2.3.a 7.2.3.b

7.2.3.c

Are there defined and implemented arrangements for  communicating product information, and  handling enquiries, orders and change orders?

Are processes for communicating with customers adequately defined, to include policies, assignment of authorities and responsibilities, and methods (procedures, instructions, training)? Are these processes consistently implemented?

Are effective arrangements defined for communicating with customers regarding customer feedback and customer complaints, and advisory notices?

Is there a system for receiving customer feedback and complaints (logs, complaint files, etc.)? Are responsibilities for handling customer complaints assigned? Is there a linkage with the corrective/preventive action system?

Verify that product brochures/specifications and other product information (including the internet site) are current.

Is there a system for issuing advisory notices (refer to ISO 13485 Clause 8.5.1)?

7.3 7.3.1

Design and development Are design and development processes and activities documented in procedures?

Are the following processes and activities documented in procedures: design planning, design inputs, design outputs, design reviews, design verification, design validation, design transfer, and design changes?

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 10 of 23

INTERNAL AUDIT CHECKLIST Refs

7.3.1

Requirements Are product design activities planned, to include  the design stages;  the review, verification, validation and design transfer activities appropriate to each stage; and  assignment of responsibilities and authorities? Is the design planning output documented, reviewed and approved, and is it updated as the design progresses?

7.3.2

What to look for and how Are design stages/activities identified? Are review, verification and validation activities identified? Are responsibilities/authorities for each activity assigned? Verify that there is a design project schedule, or at least due dates for completion of major design phases; and that it includes design reviews, design verification/validation, and design transfer activities. Are interfaces with different groups or activities identified and described? How is the design project plan documented? Are design plans reviewed and approved? How are the plans approved and by whom? How are the plans updated as the design progresses? Is there specific example/evidence of an actual design plan being subsequently updated?

Are design inputs determined and documented, and include, as applicable,  functional, performance and safety requirements according to the intended use and needs of the user,  statutory and regulatory requirements,  information from previous similar designs,  outputs of risk management?

How is design input documented (design project book, kickoff sheet, etc.)? Are there examples/evidence of specific design inputs related to safety and to regulatory requirements? Are risk management studies conducted and are their results used in design inputs?

Are there procedures for addressing incomplete, ambiguous or conflicting design input requirements?

Who is responsible for reviewing and approving the input? How is the approval documented/recorded (must be hand-signed and dated)? How are changes and/or introduction of additional inputs handled?

In the design control procedure, are there documented specific mechanisms for addressing incomplete, ambiguous or conflicting requirements?

Are design inputs reviewed for adequacy and approved by a designated person? 7.3.3

Are design outputs provided in a form that is suitable for verification against design input requirements? Are design outputs documented, reviewed, and approved prior to release?

7.3.3

Do design outputs  meet design input requirements,

Is design output documented? How? Are the documents reviewed and approved prior to release and by whom (must be hand-signed and dated)? How are preliminary documents distinguished from the final released documents? Verify that design output documents forwarded to production, subcontractors or other consultants are clearly identified as final or preliminary. Is there a systematic review to verify that design output meets design input requirements (last design review

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 11 of 23

INTERNAL AUDIT CHECKLIST Refs

7.3.3

7.3.4

Requirements

What to look for and how

 provide necessary information for purchasing and production,  contain acceptance criteria, and  specify product characteristics that are essential for its safe and proper use?

meeting)? Is information for purchasing, such as material specs, parts lists, etc. included? Are there clear specifications, drawings and instructions for production? Are there acceptance criteria for inspection and testing of product? Where applicable, are safety and operation/use features considered in the design and included in the design output?

Are there design project records (Design History File) demonstrating that design was developed in accordance with the approved design plan and with regulatory and quality system requirements?

Are the following types of documents included in the DHF:

Are design reviews conducted to evaluate whether the design is on track toward meeting input requirements, and to identify any problems and propose necessary actions?

Is there a documented procedure for conducting design reviews?

Do participants at each review include all functions concerned, any specialists needed, and a person who does not have direct responsibility for the design stage being reviewed?

Who participates? Is there someone who does not have direct responsibility for the stage being reviewed?

design plans; design input requirements and records of their reviews and approvals; conceptual and preliminary versions of design documents; studies, calculations and analysis supporting the design; protocols, reports, studies and other records of design verification and validation activities; records of review and approval of design output documents; agendas and minutes of design reviews?

How many design reviews are planned for the design project? What is the role of these reviews?

Are there records of the reviews? Are there records demonstrating that the resulting actions are implemented and their effectiveness verified?

Are records of the reviews and the resulting actions maintained? 7.3.5

Are designs verified to ensure that design outputs have met the design input requirements? Are records of the verification results and any related actions maintained?

7.3.6

Are designs validated to ensure that the resulting product is capable of meeting the

What specific actions are taken to verify that design outputs meet the design input requirements? Is this a systematic review? Are all design inputs considered? Are the actual verification results (calculations, data, etc.) included in the record? Do the design verification records identify methods, date and the individuals performing the verification? How is the design validated? Are the initial production units or a prototype used? Are use conditions simulated or actual? Is software validation applicable, and, if yes,

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 12 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements requirements for user needs and intended uses? Are records of the validation results and any related actions maintained?

7.3.7

Are design changes reviewed, verified, validated, as appropriate, and approved before their implementation? Are changes evaluated with respect to their effect on constituent parts and on product already delivered? Are records of changes maintained, to include their reviews/evaluations and any necessary actions?

7.4 7.4.1

What to look for and how was it carried out? Is risk analysis applicable (when failure of the device can create a safety hazard), and, if yes, was risk analysis performed? Are validation records maintained? Are the actual validation results (test data) included in the record? Do the design validation records identify methods, date and the individuals performing the validation? How are requests for design changes documented and processed? Who reviews and approves requests for design changes? Is the effect of change on the overall product considered (ask for specific examples)? Who decides, and how, what reviews, verifications and validations need to be done for a design change? Are results of reviews, verifications and validations included in design change records?

Purchasing Are suppliers and the supplied product adequately controlled to ensure that the product conforms to specified purchase requirements?

How are suppliers controlled: initial selection evaluations, ongoing monitoring, audits of supplier’s QMS and/or manufacturing processes, and requests for corrective actions? How is purchased product controlled: review of quality records (SPC charts, inspection reports, lab test results, etc.), receiving inspection? Who makes these decisions?

7.4.1

Are suppliers evaluated, and is supplier selection based on their ability to provide products conforming to specified requirements? Are supplier evaluation and selection (approval) criteria established? Is there an approved supplier list? Are records or supplier evaluations and related actions maintained?

7.4.2

Do purchasing specifications include, where appropriate,  requirements for approval of product,

Are suppliers evaluated and reviewed before they are approved? What are the scope, extent and criteria for evaluating and approving suppliers? Who decides? How is the approval documented (an approved vendor list)? Are there records of initial supplier evaluations? Select randomly and review a sample of supplier evaluation and monitoring files. Is their approval status clearly authorized? Is their performance consistently monitored? In the event of nonconforming deliveries, are they required to implement corrective actions? Is there a follow up? Where appropriate, are there requirements for certificates, inspection reports, SPC data, approval of samples, etc. included in purchasing documents? Are there any requirements with regard to supplier’s quality

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 13 of 23

INTERNAL AUDIT CHECKLIST Refs

7.4.2

Requirements

What to look for and how

procedures, processes and equipment;  requirements for approval of personnel, and  quality management system requirements?

management system?

Do purchasing documents include an agreement obliging suppliers to give notification of changes to their product or service?

In purchasing documents, is there an agreement that supplier must notify the buyer of any changes to the supplied products or services? When such notification is received, who evaluates, and how, whether the changes have an affect on the quality of the finished device, and whether they are acceptable or not. How is this evaluation and its result documented?

Are purchasing specifications (data) approved before they are forwarded to suppliers?

How is adequacy of purchasing documents ensured? Are the documents reviewed and approved before release? Are there standard, pre-approved, specifications in the system? What other methods are used?

Review a sample of purchase orders, especially those where the product is expected to come with certificates.

See if you can uncover any past problems caused by errors or omissions in purchasing documents.

7.4.3

Are there established and implemented activities necessary for ensuring that purchased products meet specified requirements?

What is being done to ensure purchased product conformity: certificates or inspection reports from supplier or independent labs, SPC records, Cpk or Ppk requirements, in house receiving inspection, supplier’s QMS certification? Select a sample of purchased product categories and investigate for each what activities or arrangements are planned to ensure their conformity, how this plan is documented and communicated, and whether it is consistently implemented.

7.4.3

7.5 7.5.1.a)

When intending to perform product verification at supplier premises, are verification arrangements and methods defined in the purchasing documents?

Is this relevant? If so, review a sample of purchase orders or contracts to ascertain that product verification and release methods are defined in the purchasing documents.

Production and service provision Are adequate product specifications available?

Are adequate product specifications (drawings, parts lists, math data, standards, samples, etc.) available to production personnel? Are the specifications approved and are they current? Interview production personnel and ask how they know what to make and what the requirements are for workmanship standards (appearance, precision, surface

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 14 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how quality, color, etc.).

7.5.1.b)

Are adequate production specifications available, to include, as applicable: procedures, requirements, work instructions, reference materials, and reference measurement procedures?

Are there adequate instructions for operating machines and processes? Who decides and how (criteria) whether work instructions shall be established for a given process/work station? Are process parameters (temperature, pressure, speed, etc.) defined? Where process operators are required to make measurements, are there measurement procedures available? Ask operators what should the settings be for various parameters in their processes, and how they know this. What are the lower and upper limits for the parameters? What should they do, and how, when a parameter (temperature, for example) goes over limit?

7.5.1.f)

Are release, delivery and post-delivery activities implemented?

Are there defined responsibilities for these activities? How are requirements documented (procedures, work orders, servicing requisitions, etc.)? Are delivery-related activities defined in procedures, work instructions, training, etc.? Are appropriate records maintained?

7.5.1

Are there Device History Records (Batch Records) for each manufactured batch, lot or unit? Are the following records included in the DHRs:  the date of manufacture, quantity manufactured, and quantity released for distribution;  the acceptance records demonstrating that the device is manufactured in accordance with the DMR;  the primary identification label and labeling used for each production unit;  any device identifications and control numbers used; and  other traceability information to the extent specified?

7.5.1.2.3

Applies only where servicing is a specified requirement:

Who determines the exact scope of records included in the Device History Records (DHR), and how is the scope documented and communicated (procedure, traveler, work order form, etc.)? Is the DHR complete, e.g., includes all required categories of records? Are DHR records properly identified to specific batches, lots or units; and are the records easily retrievable?

Is this requirement applicable? Is servicing performed by the company or its authorized

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 15 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements Are there adequate instructions and procedures for performing servicing and for verifying that servicing meets the specified requirements? Are there documented service reports that include:  name and identification (serial number) of the device serviced,  date of service,  identification of the individual servicing the device,  description of the service performed, and  test and inspection data?

What to look for and how agent? Are there documented servicing instructions? Are servicing verification procedures included? Are there forms or other means provided for establishing servicing reports? How is it ensured that servicing technicians use the latest (correct) revision? Are servicing technicians trained/qualified? Who and how often analyzes servicing reports to detect recurring quality problems? What statistical methodology is used? Are corrective or preventive actions initiated to address problems?

Are service reports analyzed with appropriate statistical methodology to detect recurring quality problems? 7.5.2.1

Where the results of a production process cannot be fully verified by subsequent inspection and test, are these processes validated? Are validation results documented and approved? Are appropriate arrangements established for these processes, including  criteria for their review and approval,  monitoring and control of process parameters,  personnel qualifications, and  use of specific methods and procedures.

Who is responsible for identifying processes requiring validation, and deciding what shall be the scope and approval criteria for the validation? Are validation results documented? Are the results reviewed, approved and signed by the individual approving the process and associated equipment? Are there documented qualification (training) requirements for process operators? Are process parameters monitored and controlled? Are the monitoring/control data recorded (including date, method, data, and identification of equipment and process operator)? Are processes revalidated (where appropriate)?

Are there process monitoring and control records for these processes, including date, methods, data, equipment, and the process operators? When changes or process deviations occur, are these processes revalidated? Are the results documented and approved? 7.5.2.1

Where computer software is used for

Is computer software used for production (in automated

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 16 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

production and/or service provision automated processes), are such software applications validated prior to initial use?

processes)? How was the software developed? For commercial, off-the-shelf software, is there any evidence that the software was properly validated by its developer? If developed in house or by a consultant, was it formally validated? Are validation results documented in reports? Are the reports available?

Are validation results documented? Are all software changes also validated?

Are all software revisions validated (at least partially to validate the changes)?

7.5.3.1

Are products suitably identified throughout product realization to prevent mix-ups?

Is there a documented procedure instructing how to identify product throughout product realization?

Are returned medical devices identified to distinguish them from conforming product? 7.5.3.2.1

Are there procedures or specifications defining the extent of product traceability and the records required?

How is it documented what production records are established and maintained, and how are these records correlated with specific production lots or batches? What criteria are used in deciding the extent of traceability, and who makes this decision? Review a sample of production records and verify the integrity of the traceability system. Verify that rework operations (diluting, mixing, reprocessing, etc.) do not compromise the integrity of the traceability system.

7.5.3.3

Throughout all product realization stages, are products identified with respect to their acceptance status to indicate the conformity or nonconformity of the product?

Are there specific product identification methods defined for conforming and nonconforming product at receiving? In production areas? At individual work stations and during processing? During servicing? What other controls are used to ensure that only product that has passed the required acceptance activities is distributed, used and installed?

7.5.4

When customer provides product for use or incorporation into the final product, is customer property identified, verified, protected and safeguarded? Are customers notified in any event of loss, damage or unsuitability of their property?

Is this relevant? Are customers supplying any materials, products, templates, molds, measuring devices, etc.? Are customers providing any intellectual property, such as drawings, specifications, procedures, health information, etc? If so, look for identification showing that the product/document belongs to customer. Investigate whether there were any events of loss, damage, or unsuitability of customer property and whether this was promptly reported back to the customer.

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 17 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

8

Measurement, analysis and improvement

8.1

General

8.1

Are measurement, analysis and improvement processes planned and implemented to  demonstrate conformity of the product,  ensure conformity of the QMS, and  maintain the effectiveness of the QMS?

Are all product and process verification activities defined (in drawings, specifications, procedures, control plans, etc.)? What measurements/monitoring are planned to ensure conformity of the QMS (internal audits)? What measurements are planned to monitor the effectiveness of the QMS (reject rates, on-time delivery, customer satisfaction, etc.)?

8.1

Are applicable methods determined, including statistical techniques, for the measurement, analysis and improvement processes?

How are measuring /analysis methods defined (work instructions, procedures, standards, etc.)? Are statistical techniques used in inspection (sampling plans), in process control (SPC), in qualifying measurement systems (gauge R&R), etc.)?

Are sampling plans based on valid statistical rationale? Are they documented? Are there procedures to ensure that sampling methods are adequate and that when changes occur the sampling plans are reviewed?

Are sampling plans based on statistical theory or recognized standards? Is it known what probabilities of finding nonconformity are associated with the sampling plan used? Is there a procedure requiring that sampling plans be reviewed in response to changes and events (process changes, increased risks, increase/decrease in identified nonconformities, etc.)?

8.2 8.2.1

Monitoring and measurement Are methods determined for obtaining and using information related to whether the company has met customer requirements? Is there a system for obtaining and analyzing customer feedback to provide early warning of quality problems? Is customer feedback used as input into the corrective and preventive action processes?

8.2.2

Are internal audits planned and conducted to determine whether the quality management system conforms to requirements and whether it is effectively implemented and maintained?

What information is used to determine whether customer requirements have been met (rates of nonconforming product shipped, on-time delivery performance, etc.)? How is this information obtained (returned product, customer complaints, shipping records, etc.)? How often? How is this information processed and used (for example, statistical analysis reported to management review)? Are corrective or preventive actions raised in response to customer feedback? Is there an internal audit plan/schedule? Are status and importance of a process considered when planning audits (increased audit frequency for important and/or problematic processes/areas)? Are all relevant processes and areas covered by the audit plan/schedule? Are all applicable requirements of ISO

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 18 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how 13485 covered?

8.2.2

Are audit criteria, scope, frequency and methods defined and documented? Is the audit process objective and impartial?

8.2.2

Are corrective actions taken to eliminate detected nonconformities and their causes? Are corrective actions followed up to verify the actions taken and to report the verification results?

8.2.3

Are quality system processes monitored and measured? When planned results are not achieved, are corrections and corrective actions taken to ensure conformity of the product?

8.2.4

Is there a written procedure for internal auditing? Are auditors trained? How are audit criteria and scope documented (standard, checklists, etc.)? Are there any records of what specific evidence was reviewed (usually auditor notes on checklists)? How are nonconformities documented? Are auditors impartial and independent from the work being audited? Are specific responsibilities assigned for corrective actions to eliminate nonconformities and their causes? Are corrective actions documented/recorded? Is there a follow up to verify the implementation and effectiveness of corrective actions? Are all specified process monitoring activities implemented? Are process monitoring methods and acceptance criteria documented. Are results recorded? When processes are changed, corrected or adjusted to fix problems or improve performance, are these corrections documented? How?

Are all product acceptance activities (inprocess and final inspections and tests) carried out in accordance with planned arrangements and documented procedures?

How are requirements for inspection and testing activities documented (control plans, work orders, travelers, procedures, etc.)? How are they communicated to production and QC personnel?

Are in-process products controlled to prevent their use (further processing) before the required acceptance activities are completed?

How are in-process inspections and tests recorded? What measures are implemented to prevent product from moving to the next processing stage before the required in-process inspections are completed? Is the identity of the inspecting/testing personnel recorded? Select a sample of production/QC records and verify that all specified inspections were performed and the results recorded.

8.2.4

Are there effective measures implemented to prevent release of product for distribution before  all activities required in the DMR are completed,  the associated data and documentation is

Are product release activities documented in a procedure? Who verifies, and how, that all specified production and acceptance activities have been completed? Is there a checklist for the review of the associated data and documentation? How are results of this review recorded? Are product release authorizations

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 19 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements reviewed, and  the release is dated and is authorized by a signature of a designated person(s)?

What to look for and how dated and signed? How is the released product identified (distinguished from product that has not yet been released)? What measures are implemented to ensure that product that has not been formally released is not used or shipped? Ask personnel in inventory management and shipping functions how do they know (and verify) what is the release status for any given product (batch). Select a sample of production/QC records (and/or product staged for shipping) and verify that all product release activities were carried out as planned.

8.2.4

Are acceptance and release records maintained and include  identification of acceptance activities performed and, where appropriate, the methods and equipment used,  the results, and  dates and signatures of individual performing the acceptance activities?

For each run, lot or batch of finished devices, are there complete records of all inspections, tests and other release activities and their results? Are release records dated and signed by the individuals performing the acceptance activities? Are these records included in the DHR? How long are they maintained? Are they easily retrievable?

Are these records included in the DHR?

8.3

Control of nonconforming product

8.3

Are nonconforming products properly identified and controlled to prevent their unintended use or delivery?

Is there a procedure for identifying, controlling and dealing with nonconforming product? Are nonconforming products segregated? Quarantined? How?

8.3

Are nonconforming products evaluated to determine the nature and causes of the nonconformity and to disposition whether to  eliminate the nonconformity (rework),  authorize their use, release or acceptance (accept as-is by concession), or  preclude their original use or application (scrap or re-grade)?

Are responsibilities assigned for making NC product disposition decisions? Are these decisions documented? How is this documentation associated with the actual product (control number, special stickers/tag, copy of the NCR report attached to the product, etc.)? When accepting NC products by concession, is there an evaluation carried out whether the product continues to meet regulatory requirements? Who has the authority to accept NC products by concession?

Does the evaluation include the determination of a need for an investigation and notification of the persons or organizations responsible for the nonconformity?

Is there a determination whether external organizations or individuals should be involved in the investigation of the nonconformity? How is it documented?

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 20 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

8.3

Are records maintained of the nonconformities and any subsequent action taken?

Are there records describing the nature of nonconformities and actions taken? Are they traceable to specific product batches or shipments? How long are these records retained?

8.3

Are actions taken to mitigate the effects of nonconformity when a nonconforming product has been shipped (or use has started)?

What actions are taken when product nonconformity is detected after delivery? Who decides what needs to be done? Are these decisions documented? How? Is there a follow up to determine whether the actions were completed and were effective?

8.3

If product needs to be reworked, are the rework processes documented and approved?

Are there documented rework instructions? Are they approved by the same authorization and approval procedure as the original work instructions?

Are reworked and repaired products reverified to demonstrate their conformity? Is a determination made whether there are any adverse effects of rework upon the product? Is this determination documented? Is it included in the DHR?

Are reworked or repaired products re-verified (reinspected, re-tested, etc.) to their original specification? Are the results recorded? Is reworked product formally released for use or delivery? Is there a documented determination of any adverse effects of rework? Who makes this determination? Are rework records (type and extent of rework, product acceptance activities, etc.) included in the DHR?

8.4 8.4

8.5 8.5.1

Analysis of data Are appropriate data on the performance of the quality management system collected and analyzed, to include  customer feedback,  product conformity,  characteristics and trends of processes and products (including opportunities for preventive actions), and  suppliers?

What specific data and information are collected regarding customer feedback? Are data on product nonconformity rates collected? Are there data on trends of characteristics of processes and products (e.g., on how these characteristics vary within the specified tolerance)? What specific supplier performance data are being systematically collected (on-time delivery, nonconformity rates, etc.)? Is it determined how the quality performance data is to be collected and by whom? How the data is processed, analyzed and used?

Improvement and corrective/preventive action Are changes necessary to maintain the suitability and effectiveness of the quality system identified and implemented, through the use of  quality policy

Is there a process for identifying the need for changes to the quality system? How are the quality policy and quality objectives used in this process? How are audit results and analysis of data used? What specific improvements have been implemented through the current (last) cycle? Is there a systematic process for implementing

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 21 of 23

INTERNAL AUDIT CHECKLIST Refs

8.5.1

Requirements  quality objectives,  audit results,  analysis of data,  corrective and preventive actions, and  management reviews?

improvements and for verifying their effectiveness (objective implementation projects, corrective and preventive actions, etc.)?

Is there a procedure for issue and implementation of advisory notices?

Is the procedure for issuing advisory notices and product recall sufficiently comprehensive, detailed and practical to implement? Is the authority and responsibility for making recall decisions clearly defined? How much time is needed to implement the procedure during a weekend? Was the procedure ever implemented? Are there any records demonstrating the effectiveness of the procedure?

Is this procedure capable of being implemented at any time?

8.5.1

Is there a procedure for receiving, reviewing and evaluating complaints? Are all complaints, including oral complaints, documented?

8.5.1

What to look for and how

Are complaints reviewed and evaluated to determine whether an investigation and/or corrective action are necessary? Are all complaints involving the possible nonconformity of a device investigated (unless a similar investigation was already performed)? When no investigation and/or corrective action are made, is there a record with a justification why investigation was not required, and with the name of the person who is responsible for this decision?

Who is responsible for processing complaints? Are these responsibilities formally documented? Is there a form for documenting oral complaints? Who is responsible for making the determination whether a complaint represents a reportable event? Is every complaint evaluated in this regard? Is the determination documented (checkbox on the complaint form)? Who is responsible for making the determination whether a complaint should be investigated and whether a corrective or preventive action is appropriate? Is every complaint evaluated in this regard? Is the determination documented (checkbox on the complaint form)? Are all complaints associated with device nonconformity investigated? Is a documented justification established when a decision is made not to investigate and/or not to implement a corrective or preventive action?

8.5.2 8.5.3

Are actions taken to eliminate causes of existing and potential nonconformities to prevent recurrence?

How many corrective actions have been initiated through the period? How many are open? How long have they been open? Are there due dates?

8.5.2 8.5.3

Is there a documented procedure for  analyzing sources of quality and quality

Is there a documented procedure for corrective actions? How existing and potential nonconformities are identified and reviewed (nonconforming product/process reports,

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 22 of 23

INTERNAL AUDIT CHECKLIST Refs

Requirements

What to look for and how

performance data to identify existing and potential causes of nonconforming product or other quality problems;  investigating the causes of nonconformities;  identifying and implementing the actions needed to correct and prevent recurrence of nonconforming product or other quality problems;  verifying the effectiveness of corrective and preventive actions;  reporting quality problems and associated corrective and preventive actions to management review,  maintaining records of corrective and preventive actions and their results?

customer-returned product, product returned for servicing, customer complaints, etc.)? How are causes determined? Are they documented (CAR form?) How is the need for corrective actions determined (authorized personnel/managers issuing CARs)? How are the required actions determined and recorded (in a CAR form)? Are corrective actions followed up and are their results recorded? Are CARs implemented and closed out in a timely manner? Are corrective/preventive actions reviewed (Management Review)?

Doc: XXX

Revision: A Documents checked and auditor notes

Pg. 23 of 23