ISO 13485 Audit Checklist for Medical Device Plants

By Charles Donovan on May 30, 2026

iso-13485-audit-checklist

ISO 13485:2016 is the stand-alone QMS standard specifically designed for medical device manufacturers. Unlike ISO 9001, it places much stronger emphasis on risk management, design controls, validation, traceability, and regulatory compliance — because a device failure can directly impact patient safety. This audit checklist walks through every major clause of ISO 13485:2016 — from Quality Management System requirements through Management Responsibility, Resource Management, Product Realisation, and Measurement/Analysis/Improvement — so you can assess your current compliance posture before a formal internal or external audit. Each section includes the specific audit questions, evidence requirements, and iFactory features that support 21 CFR Part 11 e-signatures, photo evidence, and an auditable trail.

Maintain 21 CFR Part 11 E-Signatures and Audit Trail With iFactory

iFactory gives medical device manufacturers a structured platform for internal audits, supplier audits, and CAPA tracking — with full FDA 21 CFR Part 11 electronic signature compliance, timestamped photo evidence, and an immutable audit trail.

Clause 4

Quality Management System — General Requirements & Documentation

Clause 4 is the backbone of ISO 13485. It requires the organisation to establish, document, implement, and maintain a QMS that covers all processes needed for product realisation, risk management, and regulatory compliance. The auditor will expect to see not just documented procedures but evidence that the system is being followed day to day.

4.1 General Requirements
Has the organisation identified all QMS processes and determined their sequence and interaction?
Process interaction matrix or turtle diagrams; QMS manual section on process mapping
Are criteria and methods for effective operation and control of these processes defined and applied?
Process KPIs, control plans, work instructions, monitoring check sheets
Are records maintained to demonstrate process operation and conformity to requirements?
Completed batch records, inspection logs, equipment calibration records, training files
Does the organisation manage outsourcing of any QMS process and maintain control over it?
Approved supplier list, outsourcing agreements, supplier audit reports, incoming inspection records
Has risk management been applied to all QMS processes as required by ISO 14971?
Risk management file per ISO 14971, FMEA records, risk assessment reports for each process
4.2 Documentation Requirements
Does the QMS include documented quality policy, quality objectives, quality manual, and required procedures?
Quality manual (current revision), documented procedures per 4.2.4, records matrix
Is a document control procedure in place covering review, approval, identification, changes, and obsoletion?
Document control procedure, master document list, change history logs, obsolete document removal process
Are records controlled — identified, stored, protected, retrievable, with defined retention periods?
Records retention schedule, record storage locations (physical/electronic), backup procedures, archival logs
Are electronic records managed in compliance with 21 CFR Part 11 (if applicable)?
21 CFR Part 11 assessment, validated electronic QMS system, audit trail review, e-signature records
Clause 5

Management Responsibility — Leadership & Commitment

Clause 5 holds top management directly accountable for QMS effectiveness. Auditors will interview senior leaders to verify they are not just signing documents but actively driving quality through policy, objectives, management review, and resource allocation.

5.1 & 5.2 Management Commitment & Customer Focus
Has top management communicated the importance of meeting customer, statutory, and regulatory requirements?
Quality policy signed by CEO, communication records, training attendance, meeting minutes
Are quality objectives established at relevant functions and levels, and are they measurable?
Quality objectives matrix, departmental scorecards, OEE/quality KPI dashboards, quarterly reviews
Has the quality policy been reviewed for continuing suitability and communicated to all personnel?
Quality policy review records, employee acknowledgements, posted policy visible in facility
5.4 & 5.5 Quality Planning & Responsibility
Have responsibilities and authorities been defined and communicated throughout the organisation?
Organisational chart with quality roles, job descriptions, RACI matrix for quality activities
Has a management representative been appointed with defined responsibility for QMS oversight?
Management rep appointment letter, job description, evidence of QMS oversight activities
Are internal communication processes established for QMS effectiveness?
Quality alert procedures, shift handover logs, management review minutes distributed, quality bulletin boards
5.6 Management Review
Are management reviews conducted at planned intervals with all required agenda items covered?
Management review meeting minutes (last 12 months), attendance records, agenda covering all Clause 5.6.2 inputs
Are management review outputs recorded — including decisions on quality improvement, resource needs, and process changes?
Management review action tracker, resource allocation records, improvement project charters
Clause 6

Resource Management — People, Infrastructure & Work Environment

Clause 6 ensures the organisation provides the resources needed to maintain product quality. Auditors will check personnel competence, equipment suitability, facility cleanliness, and contamination control — especially in cleanroom environments.

6.1 & 6.2 Provision of Resources & Human Resources
Has the organisation determined and provided the resources needed to maintain the QMS and product conformity?
Resource planning documents, budget records, staffing plans, equipment purchase logs
Is personnel competence determined based on appropriate education, training, skills, and experience?
Competence matrices per role, training records, qualification certificates, skill assessments
Are training needs identified and addressed, with effectiveness of training evaluated?
Training needs analysis, annual training plan, training completion records, competency verification results
Are records of education, training, skills, and experience maintained for all personnel?
Personnel training files, learning management system records, certification expiry tracking, training matrices
6.3 & 6.4 Infrastructure & Work Environment
Is the infrastructure — buildings, equipment, utilities, IT systems — suitable for achieving product conformity?
Preventive maintenance schedules, calibration records, facility qualification reports, IT validation records
Are work environment conditions — including contamination control, cleanliness, and employee safety — managed and monitored?
Environmental monitoring records (particle count, temp/humidity), cleanroom certification, safety inspection logs, ergonomic assessments
Clause 7

Product Realisation — Design, Purchasing, Production & Service

Clause 7 is the largest and most heavily audited section. It covers the entire product lifecycle from design and development through purchasing, production, calibration, and post-market service. Expect the auditor to spend the majority of their time here.

7.1 & 7.2 Planning & Customer-Related Processes
Are product realisation plans established with defined quality objectives and resource requirements?
Project quality plans, APQP documentation, design input/output reviews, resource allocation sheets
Are customer requirements — including delivery, support, and regulatory — reviewed before commitment?
Contract review records, customer communication logs, order entry verification, change order management
7.3 Design & Development
Are design and development stages, reviews, verification, validation, and transfer defined and documented?
Design history file, design review minutes, verification/validation protocols and reports, design transfer records
Is risk management applied throughout the design process per ISO 14971?
Risk management plan, FMEA (DFMEA/PFMEA), risk/benefit analysis, post-market surveillance risk updates
Are design changes identified, reviewed, and approved before implementation?
Engineering change order process, design change impact assessments, re-verification/re-validation records
7.4 Purchasing
Are purchased products controlled to ensure they meet specified purchase requirements?
Approved supplier list, purchasing specifications, incoming inspection records, supplier certificates of conformance
Are suppliers evaluated and re-evaluated based on defined criteria?
Supplier evaluation criteria, supplier audit schedule and reports, supplier scorecards, performance monitoring records
7.5 Production & Service Provision
Are production and service operations carried out under controlled conditions with documented work instructions?
Work instructions/Batch records, process validation records, equipment setup verification, line clearance records
Is product identification and traceability maintained throughout production — from receipt through shipment?
Unique device identification (UDI) records, lot/batch traceability logs, material traceability forward/backward, serialisation records
Is property belonging to the customer or supplier — including intellectual property — identified, verified, and protected?
Customer property log, IP protection agreements, returned device handling records, storage controls
Is preservation of product — including identification, handling, packaging, storage, and protection — maintained throughout processing and delivery?
Shelf life management records, environmental monitoring for storage areas, packaging validation, FIFO verification
Are validation activities for production and service processes — including sterile barrier and cleanroom processes — documented and maintained?
Process validation protocols and reports, IQ/OQ/PQ records, re-validation schedule, process change impact assessments
7.6 Control of Monitoring & Measuring Equipment
Are monitoring and measuring devices calibrated or verified at defined intervals against traceable standards?
Calibration schedule, calibration certificates traceable to NIST/ISO, calibration stickers on equipment, out-of-calibration escalation records
Is equipment identified with calibration status, and are records of calibration results maintained?
Equipment calibration status labels, calibration database, historical calibration results, calibration recall system
When equipment is found out of calibration, is the validity of previous measurements assessed and documented?
Out-of-calibration investigation reports, retrospective impact assessment, product recall evaluation if applicable
Clause 8

Measurement, Analysis & Improvement — Audits, CAPA & Continuous Improvement

Clause 8 closes the PDCA loop. It requires the organisation to monitor, measure, analyse, and improve QMS processes through internal audits, customer feedback, corrective and preventive actions (CAPA), and data-driven improvement.

8.1 & 8.2 Monitoring & Measurement — Feedback & Complaints
Are customer feedback and complaint handling processes defined, documented, and effectively implemented?
Complaint handling procedure, complaint log (by date, product, severity), complaint investigation reports, regulatory reporting records
Does the organisation have a process for reporting adverse events to regulatory authorities in accordance with applicable regulations?
Adverse event reporting procedure, MDR/IVDR/Vigilance reports submitted, regulatory communication logs, recall procedures
8.2.2 & 8.2.4 Internal Audit & Monitoring of Processes
Are internal audits conducted at planned intervals to verify QMS conformance and effectiveness?
Internal audit schedule, audit plans and checklists, audit reports, non-conformance records, audit close-out records
Are auditors qualified and independent from the area being audited?
Auditor qualification records, auditor training certificates, auditor rotation schedule, conflict-of-interest checks
Are process monitoring and product monitoring methods — including statistical techniques — defined and applied?
SPC control charts, process capability studies (Cp/Cpk), product inspection check sheets, OEE/quality dashboards, first-pass yield reports
8.3 Control of Nonconforming Product
Is nonconforming product identified, documented, segregated, evaluated, and disposed of per documented procedures?
Nonconformance reports, quarantine area controls, disposition records (rework/scrap/return-to-supplier), root cause analysis
Is reworked product re-inspected to verify conformity to original requirements?
Rework work instructions, re-inspection records, rework identification (traceability), revalidation if applicable
8.4 & 8.5 Analysis of Data & Improvement
Is data analysis performed to demonstrate QMS suitability and effectiveness — including trend analysis of quality data?
Quality data trend reports (defect Pareto, OEE trends, complaint trends, audit findings trends), data analysis dashboards, management review inputs
Are corrective and preventive actions (CAPA) initiated in response to nonconformities, complaints, and audit findings?
CAPA records (corrective/preventive), root cause investigation reports, effectiveness verification records, CAPA trend analysis
Is the effectiveness of corrective and preventive actions verified and documented before closure?
CAPA effectiveness check records, follow-up audit reports, before/after metrics, verification evidence (photos, data, documents)
Does the organisation have a documented process for continuous improvement of QMS effectiveness?
Continuous improvement procedure, improvement project records (kaizen/lean/six-sigma), quality objective achievement tracking, innovation records
8.5.1 & 8.5.2 Preventive Action & Risk-Based Improvement
Are preventive actions taken to eliminate the causes of potential nonconformities — using risk-based thinking?
Risk assessment records (FMEA, HAZOP), preventive action records, proactive monitoring data, early warning system outputs
Are preventive action records maintained and reviewed during management review?
Preventive action log, risk register updates, management review minutes discussing preventive actions
Checklist

ISO 13485 Self-Assessment Summary — Score Your Readiness

Use this summary scorecard to track your organisation's compliance level across every major clause. Assign a score of 1-5 for each clause, calculate weighted scores, and identify where remediation is needed before your next audit.

ClauseWeightScore (1-5)WeightedPriority
4 — QMS & Documentation 15%
5 — Management Responsibility 10%
6 — Resource Management 10%
7.1-7.3 — Planning & Design 15%
7.4-7.5 — Purchasing & Production 25%
7.6 — Monitoring Equipment 10%
8 — Measurement & Improvement 15%
Weighted Total 100%

Turn Your ISO 13485 Audit Checklist Into a Live Compliance Dashboard

iFactory gives medical device plants a structured platform for internal audits, supplier audits, CAPA tracking, and document control — with full 21 CFR Part 11 e-signatures, photo evidence, and an immutable audit trail.

FAQ

Frequently Asked Questions — ISO 13485 Audit Checklist

How often should I perform ISO 13485 internal audits?

ISO 13485:2016 Clause 8.2.2 requires internal audits at planned intervals. Most medical device manufacturers conduct full QMS audits annually, but many choose a staggered approach — auditing individual clauses or departments quarterly — to spread the workload and maintain continuous readiness. The key requirement is that every clause is audited at least once per audit cycle, and that the schedule is defined based on the status and importance of the processes being audited. High-risk processes or areas with recent nonconformities should be audited more frequently.

What is the difference between ISO 13485 and ISO 9001 audit checklists?

ISO 13485 is a stand-alone standard designed specifically for medical device manufacturers, and it adds several requirements not found in ISO 9001. Key differences include: mandatory risk management through the product lifecycle (ISO 14971), stricter design control requirements, a bigger focus on traceability (including UDI), specific requirements for cleanliness and contamination control of the work environment, mandatory adverse event reporting processes, and retention of documented procedures where ISO 9001 allows more flexibility. An ISO 13485 audit checklist is therefore substantially more detailed than an ISO 9001 checklist — especially in Clauses 7 (Product Realisation) and 8 (Measurement and Improvement).

How long does an ISO 13485 internal audit typically take?

The duration depends on the size and complexity of your organisation. For a small medical device manufacturer (10-30 employees), a full QMS audit typically takes 2-3 days. For mid-sized operations (50-200 employees), expect 4-6 days. Large facilities with multiple product lines may require 7-10 days or more. Many organisations now use digital audit management platforms like iFactory to conduct staged audits — auditing clauses 4-6 one week and 7-8 the following week — which reduces disruption while maintaining audit integrity. iFactory's pre-built checklists and automated evidence capture can reduce audit duration by up to 40% compared to paper-based audits.

What evidence should I prepare for an ISO 13485 external audit?

External auditors from notified bodies will expect to see: your quality manual and all documented procedures; completed batch records for at least three production runs; design history files for at least one active product; risk management files per ISO 14971; calibration records for all monitoring and measuring equipment; training records for personnel involved in production; internal audit reports and CAPA records for the last 12 months; complaint handling records and any adverse event reports; management review minutes; and supplier evaluation records. The specific records requested will depend on the scope of your certification, but being able to produce these on demand is the minimum bar for a smooth audit. iFactory's document control and audit trail features make retrieval nearly instantaneous.

Does iFactory support 21 CFR Part 11 electronic signature compliance?

Yes. iFactory Inspection Management is designed with 21 CFR Part 11 compliance built in. This includes: unique user IDs and passwords; electronic signatures that require two distinct actions (signing and re-entering credentials); timestamped audit trails that capture who did what and when; secure record storage with tamper-evident controls; and system validation documentation. For medical device manufacturers subject to FDA audits, this eliminates the need to manage paper-based signature logs and binders. iFactory's audit trail module provides full traceability from inspection creation through sign-off — exactly what FDA investigators and notified body auditors look for. Book a Demo to see the compliance features in action.


Share This Story, Choose Your Platform!