Standard Operating Procedure: Medical Device Facility Quality Audit

This Standard Operating Procedure (SOP) outlines the requirements for conducting a comprehensive quality audit of a medical device manufacturing facility. This audit is designed to ensure compliance with global regulatory standards, including ISO 13485:2016, 21 CFR Part 820 (Quality System Regulation), and relevant local health authority mandates. The objective is to verify that the Quality Management System (QMS) is not only documented but effectively implemented, maintained, and capable of ensuring the safety and performance of medical devices throughout their lifecycle.

1. Document Control and QMS Administration

• Verify the existence of a current Quality Manual and ensure all Quality Policy objectives are being met.
• Confirm that all documents are uniquely identified, version-controlled, and approved by authorized personnel.
• Ensure that obsolete documents are removed from points of use to prevent unintended use.
• Check the procedure for document change control; verify that changes are impact-assessed before implementation.
• Audit the "Record Retention" policy to ensure records are legible, readily identifiable, and retrievable.

2. Design and Development Controls

• Review the Design History File (DHF) for a selected device to ensure compliance with the Design Input/Output requirements.
• Verify that design verification and validation (V&V) protocols and reports are signed and dated.
• Confirm that risk management activities (ISO 14971) are integrated into the design process.
• Ensure that design changes are verified or validated before approval and implementation.
• Check for formal design reviews at appropriate stages of the development lifecycle.

3. Production and Process Controls

• Verify that the Device Master Record (DMR) is complete and matches the current production processes.
• Inspect the facility for adequate environmental controls (e.g., cleanroom particulate monitoring, temperature/humidity logs).
• Review calibration records for all monitoring and measuring equipment used in the manufacturing process.
• Check the procedure for non-conforming product control; verify that segregated areas exist for quarantine.
• Evaluate equipment maintenance logs to ensure preventive maintenance schedules are strictly followed.

4. Corrective and Preventive Action (CAPA)

• Examine the CAPA log for evidence of root cause analysis (RCA) methodology.
• Confirm that actions taken are appropriate to the risk level of the non-conformity.
• Verify that the effectiveness of corrective actions is assessed after a reasonable timeframe.
• Ensure that recurring quality issues are being identified and addressed systematically through the CAPA process.

5. Management Responsibility and Training

• Review Management Review Meeting minutes to ensure top management is actively involved in the QMS.
• Audit personnel training files; ensure every employee has documented training for their specific job functions.
• Confirm that training effectiveness is evaluated periodically, not just through attendance logs.
• Verify that internal audit schedules are being met and that audit findings are tracked to closure.

Pro Tips & Pitfalls

• The "Show Me" Rule: Never accept a verbal explanation if a record exists. If it isn't documented, it didn't happen in the eyes of an auditor.
• Pitfall - The "Binder" Trap: Many facilities keep pristine binders for audits but fail to follow those procedures in daily reality. Auditors look for the "grease on the machine"—real-world evidence of usage.
• Pro Tip - Follow the Paper Trail: Select a single batch or serial number and "cradle-to-grave" it. Track it from raw material receipt through manufacturing, sterilization, and final shipment. This is the fastest way to find systemic gaps.
• Pitfall - Ignoring Software: With the rise of IoT medical devices, ensure software validation and cybersecurity patches are treated with the same rigor as physical hardware.

FAQ

Q: How often should we conduct an internal quality audit? A: Regulatory requirements typically mandate that internal audits be performed at planned intervals, usually at least annually. However, high-risk processes or significant QMS changes may necessitate more frequent, focused audits.

Q: What is the biggest red flag during an audit? A: A lack of connection between a CAPA and its root cause. If the facility identifies a problem but repeatedly "fixes" it with retraining instead of addressing a design or process flaw, it indicates a weak or superficial QMS.

Q: Can we outsource the internal audit function? A: Yes, many companies hire third-party consultants to perform internal audits to gain an objective, "fresh eyes" perspective. However, the responsibility for ensuring the audit takes place and that findings are corrected remains with the facility's management.