FDA Compliance Checklist
Recurring 21 CFR 820 / QMSR compliance review for medical device manufacturers. Quality and operations leads run this on a quarterly cadence to verify QMS health, production controls, document integrity, labeling accuracy, and complaint ...
Quality Management System
-
Publish the quality policy and objectives
Confirm the current-rev quality policy is posted on the production floor and that measurable objectives (DPMO, on-time delivery, CAPA closure rate) are tied to this period's targets. Auditors open here — a stale policy signed by a departed VP is a recurring 483 finding.
-
Schedule the annual internal QMS audit
Per 21 CFR 820.22, internal audits must cover every QMS subsystem on a defined frequency. Schedule trained internal auditors who are independent of the area being audited; attach the audit plan and prior-cycle report.
Collects file -
Verify training records against competency matrix
Pull the training matrix from the LMS (MasterControl, Greenlight Guru, or equivalent) and confirm GMP, HazCom, and role-specific training are current for every operator on the floor. Flag any operator whose training expired before the last lot they ran — that's a DHR integrity issue.
-
Hold the quarterly management review
Cover the §820.20 inputs: audit results, customer feedback, process performance, CAPA status, follow-up from prior reviews, and changes that could affect the QMS. Capture decisions, action owners, and the executive sign-off in the meeting record.
Collects list Collects file Collects signature -
Archive QMS records per retention schedule
Move closed records to controlled archive matching the retention rule for the device class — at minimum, expected device lifetime + 2 years per §820.180. Verify the archive is access-controlled and backups exist.
Production and Process Controls
-
Pull the current Device Master Record
Confirm the DMR reflects the latest released ECN — drawings, specs, work instructions, packaging, and labeling all at the same revision. Operators running an older traveler against a newer DMR is a top inspection finding.
-
Run IQ/OQ/PQ process validation
Re-validate any process whose output cannot be fully verified by inspection (sealing, sterilization, injection molding). Execute IQ, OQ, and PQ per the validation master plan; record Cpk on critical parameters and compare against the §820.75 acceptance criteria.
Collects list -
Capture SPC data on critical parameters
Pull X-bar R charts for critical-to-quality dimensions from Minitab, InfinityQS, or your MES. Investigate any out-of-control signals (Western Electric rules) before signing off — a chart with no flags from a process running in spec is suspicious.
-
Open a CAPA for the failed validation
Log the CAPA in the QMS within 5 business days of the failed PQ. Include containment of any product produced under the failed conditions, root cause (5-why or fishbone), corrective action, and the effectiveness check that must run before the CAPA can close.
-
Update calibration records for production gauges
Walk the floor and verify every gauge with a current calibration sticker. Red-tag and remove any past-due gauges immediately — product measured by an out-of-cal gauge is suspect material and may require recall back to the last good cal date.
Documentation and Record Keeping
-
Verify DHR completeness against the traveler
Sample five recent Device History Records and confirm each shows the §820.184 elements: dates of manufacture, quantity manufactured, quantity released for distribution, acceptance records, primary identification label, and unique device identifier (UDI). Missing operator signatures are the most common gap.
-
Review pending ECNs in the document log
Pull the open-ECN report from Arena, Windchill, or your PLM. Any ECN released without operator training cascade is a §820.40 finding — confirm training acknowledgments are tied to the release date for every change in the last quarter.
-
Audit 21 CFR Part 11 e-signature controls
Verify audit trails are enabled on every system holding GxP records, that user accounts are unique (no shared logins), and that signature manifestations show name + date/time + meaning of signature. Test that a deleted record still appears in the audit trail.
-
Apply the device-class retention schedule
Class II implants and Class III devices commonly require 7+ years post-distribution; reusable surgical instruments may run 15+. Confirm the retention rule in the records procedure matches what's actually configured in the document control system.
-
Restrict QMS access to authorized roles
Pull the user access report from the QMS and reconcile against the current org chart. Disable accounts for separated employees (target: same business day as exit). Confirm contractors have time-bounded access tied to their statement of work.
Labeling and Packaging Controls
-
Reconcile UDI labels against GUDID records
Confirm every commercial SKU has a GUDID record matching the printed UDI-DI, brand name, version/model, and package configuration. Mismatches between physical label and GUDID block hospital intake and trigger 21 CFR 830 enforcement.
-
Route label artwork through regulatory review
Regulatory must sign off on indications, contraindications, warnings, Rx-only statement, and symbol use per ISO 15223-1 before any artwork moves to print. Attach the approved PDF here so the production team prints from the same controlled source.
Collects file -
Inspect sterile barrier per ISO 11607
Run dye penetration, peel strength, and burst tests per the package validation protocol. A sterile-barrier failure in the field is the kind of thing that triggers a Class I recall — verify the lot's seal data is within the validated window before release.
-
Reconcile label issuance and destruction logs
Per §820.120, labels issued, used, and destroyed must reconcile by lot. Unaccounted labels suggest mislabeling risk — investigate any gap before releasing the lot to finished goods.
-
Verify lot codes on outer carton labels
Pull three cartons at random from finished goods and trace the lot code back through the DHR to raw material lots. A break in this chain disables a future recall — exactly the gap FDA looks for during a for-cause inspection.
Complaint Handling and Adverse Event Reporting
-
Log incoming complaints within 24 hours
Every complaint — phone, email, sales rep relay, distributor portal — gets logged in the QMS complaint module the same business day. The §820.198 file must be uniformly and orderly maintained; an inbox is not a complaint file.
-
Triage complaints for MDR reportability
Apply the §803 decision tree: did the device cause or contribute to a death or serious injury, or could it if the malfunction recurred? Document the rationale either way — a 'no MDR' decision needs a written justification, not silence.
Collects list -
File the MDR with FDA on time
Submit Form FDA 3500A through eMDR within 30 days of becoming aware of a reportable event — 5 days for events requiring remedial action to prevent unreasonable risk of substantial harm. Late MDRs are a high-visibility 483 item.
-
Open a CAPA for systemic complaint trends
Pareto the last 90 days of complaints by failure mode. A repeating mode above the trigger threshold opens a CAPA per §820.100 — and the CAPA can't close until effectiveness is shown across a defined number of post-action lots.
-
Maintain the complaint file per 820.198
Each complaint record must include device name, UDI/lot, complainant, date received, dates and results of investigation, and any reply sent. Confirm the file is reviewable on-demand — FDA will ask for a specific complaint by number during inspection.