QMS Audit Expert¶
Domain: Regulatory & Quality | Skill: qms-audit-expert | Source: ra-qm-team/qms-audit-expert/SKILL.md
QMS Audit Expert¶
ISO 13485 internal audit methodology for medical device quality management systems.
Table of Contents¶
- Audit Planning Workflow
- Audit Execution
- Nonconformity Management
- External Audit Preparation
- Reference Documentation
- Tools
Audit Planning Workflow¶
Plan risk-based internal audit program:
- List all QMS processes requiring audit
- Assign risk level to each process (High/Medium/Low)
- Review previous audit findings and trends
- Determine audit frequency by risk level
- Assign qualified auditors (verify independence)
- Create annual audit schedule
- Communicate schedule to process owners
- Validation: All ISO 13485 clauses covered within cycle
Risk-Based Audit Frequency¶
| Risk Level | Frequency | Criteria |
|---|---|---|
| High | Quarterly | Design control, CAPA, production validation |
| Medium | Semi-annual | Purchasing, training, document control |
| Low | Annual | Infrastructure, management review (if stable) |
Audit Scope by Clause¶
| Clause | Process | Focus Areas |
|---|---|---|
| 4.2 | Document Control | Document approval, distribution, obsolete control |
| 5.6 | Management Review | Inputs complete, decisions documented, actions tracked |
| 6.2 | Training | Competency defined, records complete, effectiveness verified |
| 7.3 | Design Control | Inputs, reviews, V&V, transfer, changes |
| 7.4 | Purchasing | Supplier evaluation, incoming inspection |
| 7.5 | Production | Work instructions, process validation, DHR |
| 7.6 | Calibration | Equipment list, calibration status, out-of-tolerance |
| 8.2.2 | Internal Audit | Schedule compliance, auditor independence |
| 8.3 | NC Product | Identification, segregation, disposition |
| 8.5 | CAPA | Root cause, implementation, effectiveness |
Auditor Independence¶
Verify auditor independence before assignment:
- Auditor not responsible for area being audited
- No direct reporting relationship to auditee
- Not involved in recent activities under audit
- Documented qualification for audit scope
Audit Execution¶
Conduct systematic internal audit:
- Prepare audit plan (scope, criteria, schedule)
- Review relevant documentation before audit
- Conduct opening meeting with auditee
- Collect evidence (records, interviews, observation)
- Classify findings (Major/Minor/Observation)
- Conduct closing meeting with preliminary findings
- Prepare audit report within 5 business days
- Validation: All scope items covered, findings supported by evidence
Evidence Collection¶
| Method | Use For | Documentation |
|---|---|---|
| Document review | Procedures, records | Document number, version, date |
| Interview | Process understanding | Interviewee name, role, summary |
| Observation | Actual practice | What, where, when observed |
| Record trace | Process flow | Record IDs, dates, linkage |
Audit Questions by Clause¶
Document Control (4.2): - Show me the document master list - How do you control obsolete documents? - Show me evidence of document change approval
Design Control (7.3): - Show me the Design History File for [product] - Who participates in design reviews? - Show me design input to output traceability
CAPA (8.5): - Show me the CAPA log with open items - How do you determine root cause? - Show me effectiveness verification records
See references/iso13485-audit-guide.md for complete question sets.
Finding Documentation¶
Document each finding with:
Requirement: [Specific ISO 13485 clause or procedure]
Evidence: [What was observed, reviewed, or heard]
Gap: [How evidence fails to meet requirement]
Example:
Requirement: ISO 13485:2016 Clause 7.6 requires calibration
at specified intervals.
Evidence: Calibration records for pH meter (EQ-042) show
last calibration 2024-01-15. Calibration interval is
12 months. Today is 2025-03-20.
Gap: Equipment is 2 months overdue for calibration,
representing a gap in calibration program execution.
Nonconformity Management¶
Classify and manage audit findings:
- Evaluate finding against classification criteria
- Assign severity (Major/Minor/Observation)
- Document finding with objective evidence
- Communicate to process owner
- Initiate CAPA for Major/Minor findings
- Track to closure
- Verify effectiveness at follow-up
- Validation: Finding closed only after effective CAPA
Classification Criteria¶
| Category | Definition | CAPA Required | Timeline |
|---|---|---|---|
| Major | Systematic failure or absence of element | Yes | 30 days |
| Minor | Isolated lapse or partial implementation | Recommended | 60 days |
| Observation | Improvement opportunity | Optional | As appropriate |
Classification Decision¶
Is required element absent or failed?
├── Yes → Systematic (multiple instances)? → MAJOR
│ └── No → Could affect product safety? → MAJOR
│ └── No → MINOR
└── No → Deviation from procedure?
├── Yes → Recurring? → MAJOR
│ └── No → MINOR
└── No → Improvement opportunity? → OBSERVATION
CAPA Integration¶
| Finding Severity | CAPA Depth | Verification |
|---|---|---|
| Major | Full root cause analysis (5-Why, Fishbone) | Next audit or within 6 months |
| Minor | Immediate cause identification | Next scheduled audit |
| Observation | Not required | Noted at next audit |
See references/nonconformity-classification.md for detailed guidance.
External Audit Preparation¶
Prepare for certification body or regulatory audit:
- Complete all scheduled internal audits
- Verify all findings closed with effective CAPA
- Review documentation for currency and accuracy
- Conduct management review with audit as input
- Prepare facility and personnel
- Conduct mock audit (full scope)
- Brief personnel on audit protocol
- Validation: Mock audit findings addressed before external audit
Pre-Audit Readiness Checklist¶
Documentation: - [ ] Quality Manual current - [ ] Procedures reflect actual practice - [ ] Records complete and retrievable - [ ] Previous audit findings closed
Personnel: - [ ] Key personnel available during audit - [ ] Subject matter experts identified - [ ] Personnel briefed on audit protocol - [ ] Escorts assigned
Facility: - [ ] Work areas organized - [ ] Documents at point of use current - [ ] Equipment calibration status visible - [ ] Nonconforming product segregated
Mock Audit Protocol¶
- Use external auditor or qualified internal auditor
- Cover full scope of upcoming external audit
- Simulate actual audit conditions (timing, formality)
- Document findings as for real audit
- Address all Major and Minor findings before external audit
- Brief management on readiness status
Reference Documentation¶
ISO 13485 Audit Guide¶
references/iso13485-audit-guide.md contains:
- Clause-by-clause audit methodology
- Sample audit questions for each clause
- Evidence collection requirements
- Common nonconformities by clause
- Finding severity classification
Nonconformity Classification¶
references/nonconformity-classification.md contains:
- Severity classification criteria and decision tree
- Impact vs. occurrence matrix
- CAPA integration requirements
- Finding documentation templates
- Closure requirements by severity
Tools¶
Audit Schedule Optimizer¶
# Generate optimized audit schedule
python scripts/audit_schedule_optimizer.py --processes processes.json
# Interactive mode
python scripts/audit_schedule_optimizer.py --interactive
# JSON output for integration
python scripts/audit_schedule_optimizer.py --processes processes.json --output json
Generates risk-based audit schedule considering: - Process risk level - Previous findings - Days since last audit - Criticality scores
Output includes: - Prioritized audit schedule - Quarterly distribution - Overdue audit alerts - Resource recommendations
Sample Process Input¶
{
"processes": [
{
"name": "Design Control",
"iso_clause": "7.3",
"risk_level": "HIGH",
"last_audit_date": "2024-06-15",
"previous_findings": 2
},
{
"name": "Document Control",
"iso_clause": "4.2",
"risk_level": "MEDIUM",
"last_audit_date": "2024-09-01",
"previous_findings": 0
}
]
}
Audit Program Metrics¶
Track audit program effectiveness:
| Metric | Target | Measurement |
|---|---|---|
| Schedule compliance | >90% | Audits completed on time |
| Finding closure rate | >95% | Findings closed by due date |
| Repeat findings | <10% | Same finding in consecutive audits |
| CAPA effectiveness | >90% | Verified effective at follow-up |
| Auditor utilization | 4 days/month | Audit days per qualified auditor |