Standard Operating Procedure: Medical Device Quality Management System (QMS) Audit

This Standard Operating Procedure (SOP) outlines the comprehensive audit process for verifying compliance with medical device regulatory requirements, including ISO 13485:2016 and FDA 21 CFR Part 820. This audit is designed to assess the effectiveness of the Quality Management System, ensure product safety and efficacy, and maintain a state of continuous "audit readiness." Auditors must document all findings objectively, referencing specific regulatory clauses or internal procedures to ensure transparency and traceability throughout the device lifecycle.

Phase 1: Quality Management System (QMS) & Document Control

• Verify that the Quality Manual is current, approved, and reflects the current scope of operations.
• Ensure all Standard Operating Procedures (SOPs) and Work Instructions (WIs) are version-controlled and accessible.
• Confirm that document change control processes are followed, including evidence of impact analysis and cross-functional review.
• Check for the presence of a formal Records Retention Policy and compliance with data integrity requirements (ALCOA+).

Phase 2: Design and Development Controls

• Review the Design History File (DHF) for completeness, ensuring all design inputs, outputs, verification, and validation activities are documented.
• Verify that Design Reviews are conducted at appropriate stages with documented evidence of action items closure.
• Assess Risk Management files (ISO 14971) to ensure hazards are identified, mitigated, and residual risks are documented as acceptable.
• Confirm that Design Changes are formally validated and verified before implementation.

Phase 3: CAPA, Complaints, and Post-Market Surveillance

• Review the Corrective and Preventive Action (CAPA) log to ensure timely investigation and effective root cause analysis.
• Audit the Complaint Handling process to confirm that reports are categorized, investigated, and escalated to regulatory authorities (MDR/Vigilance) when required.
• Verify that Post-Market Surveillance (PMS) plans are active and that real-world performance data is being fed back into the risk management process.
• Check that "Effectiveness Checks" are performed for all closed CAPAs.

Phase 4: Production and Process Controls

• Inspect the Device History Records (DHR) to ensure each batch/lot is traceable and released only after passing all specifications.
• Verify that equipment calibration and maintenance schedules are current, with valid certificates on file.
• Ensure validated processes (e.g., sterilization, packaging, welding) have active validation protocols and periodic re-validation reports.
• Confirm that non-conforming materials are segregated, labeled, and dispositioned per procedure (e.g., Rework, Scrap, or Use-as-is).

Phase 5: Supplier Management

• Audit the Approved Supplier List (ASL) against current procurement activities.
• Verify that Supplier Quality Agreements are signed and on file for all critical suppliers.
• Review supplier evaluation and re-evaluation records based on quality performance (e.g., incoming inspection pass rates, on-time delivery).

Pro Tips & Pitfalls

• Pro Tip (The "Show Me" Approach): Never rely solely on verbal confirmation. If an auditor asks, "How do you handle X?" and you answer, you must immediately show the SOP and a completed record as evidence.
• Pro Tip (Traceability): Ensure the "Golden Thread" exists—be able to link a customer complaint back to a design requirement, then to the specific DHR/batch record, and finally to a closed CAPA.
• Pitfall (The "Silo" Effect): Many companies fail because the R&D team and the Quality team do not communicate. If a design change happens in R&D without notifying Quality/Regulatory, it is a major non-conformance.
• Pitfall (Training Gaps): The most common "low-hanging fruit" for auditors is finding that employees are performing tasks without documented training records on the current version of the SOP.

Frequently Asked Questions (FAQ)

Q: How often should a medical device company perform an internal audit? A: Per ISO 13485, internal audits must be conducted at "planned intervals." Most high-performing organizations perform a full system audit once per year, with smaller "spot audits" conducted quarterly.

Q: What is the most critical item to have ready during an audit? A: The CAPA log and the Management Review minutes. These two documents provide an overview of the company’s "Quality Culture" and indicate whether management is aware of and actively addressing system weaknesses.

Q: If we find a non-conformance during an internal audit, does it automatically mean we will fail a regulatory inspection? A: No. In fact, finding and documenting your own non-conformances—and initiating a CAPA to fix them—demonstrates a robust and functioning QMS. Regulatory bodies prefer to see a self-correcting system rather than a "perfect" system that hides errors.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What standards are covered in this Medical Device QMS Audit SOP?", "acceptedAnswer": { "@type": "Answer", "text": "This SOP covers compliance requirements for ISO 13485:2016 and FDA 21 CFR Part 820 to ensure your Quality Management System meets global regulatory standards." } }, { "@type": "Question", "name": "What is included in Phase 2 of the audit process?", "acceptedAnswer": { "@type": "Answer", "text": "Phase 2 focuses on Design and Development Controls, including a review of the Design History File (DHF), design reviews, ISO 14971 risk management files, and verification of design changes." } }, { "@type": "Question", "name": "How does this SOP address CAPA and Post-Market Surveillance?", "acceptedAnswer": { "@type": "Answer", "text": "The SOP mandates a review of the CAPA log for root cause analysis, assessment of complaint handling procedures, and verification that Post-Market Surveillance (PMS) plans are actively managing real-world risk data." } } ] } </script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "Medical Device QMS Audit SOP Tool", "applicationCategory": "Quality Management System Audit", "operatingSystem": "All", "description": "A standardized audit framework for ensuring regulatory compliance of Medical Device QMS processes including ISO 13485 and FDA 21 CFR Part 820.", "offers": { "@type": "Offer", "category": "Free", "price": "0.00", "priceCurrency": "USD" } } </script>