QMS Audit Elite

A specialized skill for Quality Management System auditing — covering ISO 13485 compliance assessment, internal audit planning and execution, nonconformity documentation, CAPA evaluation, and audit program management for medical device organizations.

When to Use This Skill

Choose QMS Audit Elite when you need to:

• Plan and execute internal QMS audits against ISO 13485:2016
• Evaluate design control procedures and DHF completeness
• Audit production and process control documentation
• Assess CAPA system effectiveness and trending
• Prepare for Notified Body or FDA QMS inspections

Consider alternatives when:

• You need ISMS auditing (use an ISO 27001 skill)
• You need CAPA investigation specifically (use a CAPA skill)
• You need risk management auditing (use an ISO 14971 skill)

Quick Start

Copy
# Create an ISO 13485 internal audit checklist
claude "Generate an internal audit checklist for ISO 13485:2016 Clause 7.3 (Design and Development) for a Class II medical device company. Include audit questions, evidence requirements, and typical findings."

Copy
# Internal Audit Checklist: ISO 13485 Clause 7.3
**Standard**: ISO 13485:2016 — Design and Development
**Audit Date**: ___________
**Auditor**: ___________
**Area**: R&D / Engineering

## 7.3.1 General
| # | Question | Evidence Required | Finding |
|---|----------|-------------------|---------|
| 1 | Is there a documented design and development procedure? | SOP reference | |
| 2 | Does the procedure address all sub-clauses (7.3.1-7.3.10)? | Procedure review | |

## 7.3.2 Design and Development Planning
| # | Question | Evidence Required | Finding |
|---|----------|-------------------|---------|
| 3 | Is there a design plan for the current project? | Design plan document | |
| 4 | Does the plan define design phases and reviews? | Plan content | |
| 5 | Are responsibilities and authorities defined? | Org chart, plan | |
| 6 | Is the plan updated as design evolves? | Revision history | |

## 7.3.3 Design and Development Inputs
| # | Question | Evidence Required | Finding |
|---|----------|-------------------|---------|
| 7 | Are functional and performance requirements documented? | Design input document | |
| 8 | Are applicable regulatory requirements identified? | Standards list | |
| 9 | Are risk management inputs included? | ISO 14971 risk file | |
| 10| Are inputs reviewed and approved? | Signatures, approval records | |

## 7.3.4 Design and Development Outputs
| # | Question | Evidence Required | Finding |
|---|----------|-------------------|---------|
| 11| Do outputs meet input requirements? | Traceability matrix | |
| 12| Are outputs approved before release? | Approval records | |
| 13| Do outputs reference acceptance criteria? | Test specifications | |

## Common Findings (Clause 7.3)
- Design inputs incomplete (missing regulatory requirements)
- Traceability matrix not maintained as design evolves
- Design reviews not documented with required attendees
- Design validation not performed under actual use conditions

Core Concepts

ISO 13485:2016 Clause Structure

Clause	Title	Key Audit Focus
4	Quality Management System	QMS documentation, QM
5	Management Responsibility	Management review, policy
6	Resource Management	Training, infrastructure
7	Product Realization	Design, production, purchasing
8	Measurement, Analysis	CAPA, monitoring, audits

Audit Process Phases

Copy
## Internal Audit Lifecycle

### Phase 1: Planning (2-4 weeks before)
- Define audit scope and criteria
- Select auditor(s) — ensure independence
- Review previous audit findings
- Prepare audit checklist
- Notify auditee with schedule

### Phase 2: Execution (Audit days)
- Opening meeting (scope, schedule, methods)
- Document review and evidence collection
- Process observation and interviews
- Finding classification and documentation
- Daily briefings with auditee

### Phase 3: Reporting (1-2 weeks after)
- Draft audit report with findings
- Classify findings (major/minor/observation)
- Identify required corrective actions
- Closing meeting with management
- Distribute final audit report

### Phase 4: Follow-up (30-90 days after)
- Verify corrective action implementation
- Assess effectiveness of corrections
- Close audit findings with evidence
- Update audit program records

Nonconformity Documentation

Copy
## Nonconformity Report Template

**NCR Number**: NCR-2024-XXX
**Audit**: Internal Audit — Clause 7.3
**Date Found**: YYYY-MM-DD
**Classification**: Major / Minor

### Finding Statement
[Objective description of what was found, referencing
the specific requirement that was not met]

Example: "Design validation for Device-X (DHF-042) was
performed using simulated data rather than under actual
or simulated use conditions as required by ISO 13485
Clause 7.3.6 and the organization's SOP-DES-003 §5.6."

### Objective Evidence
- DHF-042, Validation Report Rev A, dated 2024-09-15
- Interview with Design Engineer on 2024-12-16
- SOP-DES-003 Rev 5, Section 5.6

### Root Cause (completed by auditee)
[To be completed within 30 days]

### Corrective Action (completed by auditee)
[To be completed within 60 days]

### Effectiveness Check
[To be verified by auditor within 90 days]

Configuration

Parameter	Description	Example
standard	QMS standard being audited	"ISO 13485:2016"
clause_focus	Specific clauses to audit	["7.3", "8.5.2"]
device_class	Medical device classification	"Class II"
audit_type	Type of QMS audit	"internal" / "supplier"
previous_findings	Include prior audit finding review	true
output_format	Audit report format	"markdown" / "docx"

Best Practices

1. Prepare audit checklists but don't follow them rigidly — Checklists ensure coverage of standard requirements, but the best findings come from following the evidence trail. When an answer reveals a potential issue, pursue it even if it's not on the checklist.

2. Sample records systematically, not randomly — When auditing design controls, trace one complete design project through every sub-clause (planning through transfer). This end-to-end sampling reveals gaps between process steps that random sampling misses.

3. Write findings in ISO-ready language — "Design validation was not performed under actual use conditions (Clause 7.3.6)" is auditable. "Testing was bad" is not. Every finding should state the requirement, what was observed, and the objective evidence.

4. Track audit finding trends across cycles — Individual findings matter, but patterns across multiple audits reveal systemic issues. If design input deficiencies appear in three consecutive audits, the corrective actions are not effective — escalate this as a separate, higher-level finding.

5. Verify previous corrective actions before opening new audit — The first item on any audit should be reviewing the status of findings from the previous audit. Unresolved findings from prior audits are themselves findings and demonstrate potential CAPA system weakness.

Common Issues

Auditor independence is compromised in small organizations — ISO 13485 requires auditors to be independent of the area being audited. In companies with 20-30 employees, this is challenging. Cross-train staff from different departments to audit each other, or use external auditors for areas where independence is impossible internally.

Audit reports are too vague for effective corrective action — "Documentation needs improvement" gives the auditee nothing to work with. Each finding must specify: which document, what was missing or wrong, which requirement was not met, and what objective evidence supports the finding.

Management review doesn't address audit findings systematically — ISO 13485 requires management review to include audit results as an input. Many organizations mention audits briefly in management review minutes without analyzing trends, assigning resources, or tracking resolution. Make audit findings a standing agenda item with status tracking.