ISO 13485 Audit Checklist for Medical Device Plants
By Charles Donovan on May 30, 2026
ISO 13485:2016 is the stand-alone QMS standard specifically designed for medical device manufacturers. Unlike ISO 9001, it places much stronger emphasis on risk management, design controls, validation, traceability, and regulatory compliance — because a device failure can directly impact patient safety. This audit checklist walks through every major clause of ISO 13485:2016 — from Quality Management System requirements through Management Responsibility, Resource Management, Product Realisation, and Measurement/Analysis/Improvement — so you can assess your current compliance posture before a formal internal or external audit. Each section includes the specific audit questions, evidence requirements, and iFactory features that support 21 CFR Part 11 e-signatures, photo evidence, and an auditable trail.
Maintain 21 CFR Part 11 E-Signatures and Audit Trail With iFactory
iFactory gives medical device manufacturers a structured platform for internal audits, supplier audits, and CAPA tracking — with full FDA 21 CFR Part 11 electronic signature compliance, timestamped photo evidence, and an immutable audit trail.
Quality Management System — General Requirements & Documentation
Clause 4 is the backbone of ISO 13485. It requires the organisation to establish, document, implement, and maintain a QMS that covers all processes needed for product realisation, risk management, and regulatory compliance. The auditor will expect to see not just documented procedures but evidence that the system is being followed day to day.
4.1 General Requirements
Has the organisation identified all QMS processes and determined their sequence and interaction?
Process interaction matrix or turtle diagrams; QMS manual section on process mapping
Are criteria and methods for effective operation and control of these processes defined and applied?
Process KPIs, control plans, work instructions, monitoring check sheets
Are records maintained to demonstrate process operation and conformity to requirements?
Completed batch records, inspection logs, equipment calibration records, training files
Does the organisation manage outsourcing of any QMS process and maintain control over it?
Clause 5 holds top management directly accountable for QMS effectiveness. Auditors will interview senior leaders to verify they are not just signing documents but actively driving quality through policy, objectives, management review, and resource allocation.
5.1 & 5.2 Management Commitment & Customer Focus
Has top management communicated the importance of meeting customer, statutory, and regulatory requirements?
Quality policy signed by CEO, communication records, training attendance, meeting minutes
Are quality objectives established at relevant functions and levels, and are they measurable?
Resource Management — People, Infrastructure & Work Environment
Clause 6 ensures the organisation provides the resources needed to maintain product quality. Auditors will check personnel competence, equipment suitability, facility cleanliness, and contamination control — especially in cleanroom environments.
6.1 & 6.2 Provision of Resources & Human Resources
Has the organisation determined and provided the resources needed to maintain the QMS and product conformity?
Product Realisation — Design, Purchasing, Production & Service
Clause 7 is the largest and most heavily audited section. It covers the entire product lifecycle from design and development through purchasing, production, calibration, and post-market service. Expect the auditor to spend the majority of their time here.
7.1 & 7.2 Planning & Customer-Related Processes
Are product realisation plans established with defined quality objectives and resource requirements?
Clause 8 closes the PDCA loop. It requires the organisation to monitor, measure, analyse, and improve QMS processes through internal audits, customer feedback, corrective and preventive actions (CAPA), and data-driven improvement.
ISO 13485 Self-Assessment Summary — Score Your Readiness
Use this summary scorecard to track your organisation's compliance level across every major clause. Assign a score of 1-5 for each clause, calculate weighted scores, and identify where remediation is needed before your next audit.
Clause
Weight
Score (1-5)
Weighted
Priority
4 — QMS & Documentation
15%
—
—
—
5 — Management Responsibility
10%
—
—
—
6 — Resource Management
10%
—
—
—
7.1-7.3 — Planning & Design
15%
—
—
—
7.4-7.5 — Purchasing & Production
25%
—
—
—
7.6 — Monitoring Equipment
10%
—
—
—
8 — Measurement & Improvement
15%
—
—
—
Weighted Total
100%
—
—
—
Turn Your ISO 13485 Audit Checklist Into a Live Compliance Dashboard
iFactory gives medical device plants a structured platform for internal audits, supplier audits, CAPA tracking, and document control — with full 21 CFR Part 11 e-signatures, photo evidence, and an immutable audit trail.
Frequently Asked Questions — ISO 13485 Audit Checklist
How often should I perform ISO 13485 internal audits?
ISO 13485:2016 Clause 8.2.2 requires internal audits at planned intervals. Most medical device manufacturers conduct full QMS audits annually, but many choose a staggered approach — auditing individual clauses or departments quarterly — to spread the workload and maintain continuous readiness. The key requirement is that every clause is audited at least once per audit cycle, and that the schedule is defined based on the status and importance of the processes being audited. High-risk processes or areas with recent nonconformities should be audited more frequently.
What is the difference between ISO 13485 and ISO 9001 audit checklists?
ISO 13485 is a stand-alone standard designed specifically for medical device manufacturers, and it adds several requirements not found in ISO 9001. Key differences include: mandatory risk management through the product lifecycle (ISO 14971), stricter design control requirements, a bigger focus on traceability (including UDI), specific requirements for cleanliness and contamination control of the work environment, mandatory adverse event reporting processes, and retention of documented procedures where ISO 9001 allows more flexibility. An ISO 13485 audit checklist is therefore substantially more detailed than an ISO 9001 checklist — especially in Clauses 7 (Product Realisation) and 8 (Measurement and Improvement).
How long does an ISO 13485 internal audit typically take?
The duration depends on the size and complexity of your organisation. For a small medical device manufacturer (10-30 employees), a full QMS audit typically takes 2-3 days. For mid-sized operations (50-200 employees), expect 4-6 days. Large facilities with multiple product lines may require 7-10 days or more. Many organisations now use digital audit management platforms like iFactory to conduct staged audits — auditing clauses 4-6 one week and 7-8 the following week — which reduces disruption while maintaining audit integrity. iFactory's pre-built checklists and automated evidence capture can reduce audit duration by up to 40% compared to paper-based audits.
What evidence should I prepare for an ISO 13485 external audit?
External auditors from notified bodies will expect to see: your quality manual and all documented procedures; completed batch records for at least three production runs; design history files for at least one active product; risk management files per ISO 14971; calibration records for all monitoring and measuring equipment; training records for personnel involved in production; internal audit reports and CAPA records for the last 12 months; complaint handling records and any adverse event reports; management review minutes; and supplier evaluation records. The specific records requested will depend on the scope of your certification, but being able to produce these on demand is the minimum bar for a smooth audit. iFactory's document control and audit trail features make retrieval nearly instantaneous.
Does iFactory support 21 CFR Part 11 electronic signature compliance?
Yes. iFactory Inspection Management is designed with 21 CFR Part 11 compliance built in. This includes: unique user IDs and passwords; electronic signatures that require two distinct actions (signing and re-entering credentials); timestamped audit trails that capture who did what and when; secure record storage with tamper-evident controls; and system validation documentation. For medical device manufacturers subject to FDA audits, this eliminates the need to manage paper-based signature logs and binders. iFactory's audit trail module provides full traceability from inspection creation through sign-off — exactly what FDA investigators and notified body auditors look for. Book a Demo to see the compliance features in action.