Qms Audit Expert
Plan and execute ISO 13485:2016 Clause 8.2.4 internal QMS audits for medical devices with certification-ready emphasis on design controls, CAPA, and post-market surveillance.
Overview
QMS Audit Expert is an agent skill for the Ship phase that guides ISO 13485 medical-device internal audits aligned with certification bodies and MDR/FDA QSR expectations.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill qms-audit-expertWhat is this skill?
- Playbook decision: conduct Clause 8.2.4 internal audits that satisfy certification body expectations
- Six ISO 13485 focus areas: design controls 7.3, process validation 7.5.6, document control 4.2, CAPA 8.5.2, PMS 8.2.1, I
- Explicit contrast vs ISO 27001—more prescriptive lifecycle and DHF/DMR evidence
- Pairs with `audit_schedule_optimizer.py` for cadence and `audit_simulator.py` for mock audits
- Use cases: annual programme, stage-1 readiness, surveillance prep, DHF closure, post-CAPA verification
- Six emphasized audit dimensions including Clause 7.3 design controls and Clause 8.5.2 CAPA
- References ISO 13485:2016 Clause 8.2.4 internal audit programme
Adoption & trust: 709 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You must run an ISO 13485 internal audit programme but lack a single decision-ready playbook for design controls, CAPA, and auditor-grade evidence.
Who is it for?
Medtech solo builders or micro-teams preparing stage-1, surveillance, or DHF-closure audits under ISO 13485 with MDR/FDA alignment needs.
Skip if: Generic SaaS startups without regulated devices, spreadsheet financial QA, or teams only needing ISO 27001 infosec audits.
When should I use this skill?
Annual Clause 8.2.4 internal audit programme, pre-stage-1 ISO 13485 certification, surveillance preparation, new device DHF closure audit, post-CAPA verification, or FDA QSR/EU MDR bridge audit.
What do I get? / Deliverables
You get a structured audit approach with clause priorities, lifecycle triggers, and pointers to schedule optimization and mock-audit scripts for certification readiness.
- Internal audit programme guidance aligned to Clause 8.2.4
- Audit focus checklist across design controls, validation, CAPA, and PMS
- Pointers to cadence optimizer and mock-audit simulator scripts
Recommended Skills
Journey fit
Medical-device compliance audits are a pre-certification and surveillance gate—classic Ship/security compliance work before market release or audit season. Security subphase covers audit programmes, regulatory alignment (MDR/FDA QSR), and evidence that processes meet ISO 13485—not application pen-testing.
How it compares
Regulated QMS audit methodology—not a spreadsheet formula checker or a neuro-ML inference integration.
Common Questions / FAQ
Who is qms-audit-expert for?
Medical device quality and regulatory leads, founder-operators in medtech, and small teams running ISO 13485 internal audit programmes.
When should I use qms-audit-expert?
Use it in Ship before certification or surveillance audits, after major design changes, for annual Clause 8.2.4 planning, or to verify post-CAPA closure.
Is qms-audit-expert safe to install?
Review the Security Audits panel on this page; companion scripts may touch scheduling data—treat audit evidence and product records as confidential.
SKILL.md
READMESKILL.md - Qms Audit Expert
# ISO 13485:2016 Internal Audit Playbook This reference answers exactly one decision: **how do we conduct an ISO 13485 QMS internal audit (Clause 8.2.4) that satisfies certification body expectations and supports MDR / FDA QSR alignment?** Pair with `scripts/audit_schedule_optimizer.py` (this skill) for cadence and with `compliance-os/scripts/audit_simulator.py` for mock-audit preparation. ## When to Use This Playbook - Annual Clause 8.2.4 internal audit programme - Pre-stage-1 ISO 13485 certification readiness - Surveillance audit preparation (year 2 / year 3) - New medical device introduction (DHF closure audit) - Post-CAPA closure verification audit - Bridge audit for FDA QSR / EU MDR alignment ## Key Difference from ISO 27001 Audits ISO 13485 audits emphasize: 1. **Design controls (Clause 7.3)** — DHF/DMR completeness, design verification + validation evidence, traceability matrix 2. **Process validation (Clause 7.5.6)** — IQ/OQ/PQ for manufacturing + sterilization + cleaning processes 3. **Document control (Clause 4.2)** — strict version control + change control for all controlled documents 4. **CAPA (Clause 8.5.2)** — closed-loop with root cause analysis; "containment / correction / corrective action" distinction 5. **Post-market surveillance (Clause 8.2.1)** — vigilance reporting, customer feedback loop, trend analysis 6. **Risk management (Clause 7.1 + ISO 14971)** — risk file maintained across product lifecycle ISO 13485 audits are **more prescriptive** than 27001 — auditors expect specific record formats, sign-offs, and traceability that 27001's risk-based approach does not require. ## The 7-Phase Audit Workflow Same 7-phase structure as ISO 27001 (Plan → Prepare → Open → Field → Close → Report → Track), with these QMS-specific differences: ### Phase 1 Plan — Scope Selection ISO 13485 organizes clauses by lifecycle activity. Audit fieldwork organizes by: - **Design controls (Clause 7.3)** — DHF audit per product - **Production & service provision (Clause 7.5)** — process validation evidence - **Management responsibility (Clause 5)** — management review records - **Resource management (Clause 6)** — competence + infrastructure + work environment - **Measurement, analysis, improvement (Clause 8)** — internal audit programme + CAPA + nonconformity + statistical techniques 3-year rolling coverage: every clause audited at least once, with design + CAPA + post-market in higher rotation due to risk weight. ### Phase 4 Field — QMS-Specific Sampling For design controls (Clause 7.3) — sample DHFs: - Stratified by product class (Class I, IIa, IIb, III per MDR; Class I/II/III per FDA) - For each sampled DHF, verify: - Design + development plan with stages + reviews defined - Design inputs traceability to user needs / clinical requirements - Design outputs verification evidence - Design validation evidence (clinical evaluation per MDR Annex XIV / 510(k) summary per FDA) - Design transfer evidence - Design changes controlled per Clause 7.3.9 - DHF complete and archived For CAPA (Clause 8.5.2) — sample CAPA records: - Stratified by source (customer complaint, internal audit, management review, nonconformity) - For each sampled CAPA, verify: - Problem statement clear + measurable - Root cause analysis evidence (5 Why, fishbone, Pareto, FMEA — pick the method) - Containment + correction + corrective action distinction documented - Effectiveness verification with evidence (re-test or sample post-implementation) - Closure approved by appropriate authority For post-market surveillance (Clause 8.2.1) — sample: - Customer complaint log + investigation closure - Vigilance reports (serious incident / FSCA) submitted per applicable regulation - Trend analysis evidence + management review input - Post-market clinical follow-up evidence (per MDR for high-risk devices) ## Common Stage 1 / Stage 2 Findings (the patterns) Based on practitioner reports of common ISO 13485:2016 findings: 1. **Design c