Flow: audit & inspection-readiness.
Inspection-readiness is not an event · it is a lifecycle. Eight named stages run continuously, three named cycles run on cadence, risk-based inspection programmes influence inspection frequency and scope. Each stage should have a deliverable, a review point, and a retained record. Skipping a stage increases the risk that later inspection responses become reactive rather than evidence-led.
The eight-stage inspection-readiness lifecycle.
Continuous compliance · mock · pre-inspection · live · 483 · CAPA · effectiveness · management reviewThe lifecycle is sequential and gated. Each stage has a documented deliverable. Each gate is what the inspector will look for. The named cycles in §02 run as overlays on top of these stages.
Continuous compliance monitoring.
Live KPIs running against the QMS surface: open deviations, CAPA age, training compliance, audit observations open, change-control aging, supplier non-conformance rate. ALCOA+ alignment. For mature systems, the KPI set is refreshed on a defined cadence; AI-augmented surfaces may need tighter monitoring.
Evidence KPI dashboard, trend report, management-review snapshot
Mock audit.
Internal or third-party simulation of an external inspection. Scoped against the regulator (FDA QSIT, EMA EU PIC/S, MHRA OOS, ANVISA RDC 658). Auditor walks the sponsor through document retrieval, employee interviews, gemba, data-integrity sampling. Output: mock-audit report with findings classified critical / major / minor.
Duration scope dependent
Evidence mock-audit report, simulated 483, action list
Pre-inspection review.
Triggered by inspection notification (notice periods and inspection logistics vary by regulator, inspection type, and jurisdiction). Document binder readied, personnel briefed, hosting roles assigned, retrieval drills run. Translation arrangements where applicable. Site-readiness checklist closed.
Duration 2-6 weeks
Evidence readiness checklist, briefing log, retrieval drill outcomes
Regulator inspection.
The live event. FDA Form 482 (notice of inspection) issued at start. Daily wrap-up meetings standard. End-of-inspection meeting summarises observations. Sponsor scribe captures every request. Documents provided through controlled handover, not direct desk-side access. ALCOA+ posture maintained throughout.
Evidence daily log, document handover register, scribe Signals
483 / inspection response.
FDA Form 483 issued if observations made. Sponsor 15-business-day response window (recommended, not statutory). EMA non-compliance reports trigger CAPA timeline negotiated with the rapporteur authority. Response includes commitment, root-cause analysis, action plan, timeline, evidence of immediate-action steps already taken.
Evidence 483 response letter, CAPA initiated, evidence of immediate action
CAPA · correction + corrective + preventive action.
21 CFR 820.100 · ISO 13485 §8.5 · ICH Q10. Investigation, root-cause analysis (5-why, fishbone, fault-tree as appropriate), correction (immediate fix), corrective action (recurrence prevention), preventive action (similar-event prevention). Each action has owner, due date, verification approach. CAPA backlog and CAPA aging are themselves KPIs.
Evidence CAPA record, RCA artefact, action evidence
Effectiveness verification.
A commonly under-documented stage. ICH Q10 §3.2.4. CAPA effectiveness reviewed 30-90 days after closure: did the action prevent recurrence, did the leading indicator move, was the systemic root cause addressed. Missing or weak effectiveness verification can become an observation in its own right, especially when recurrence or weak KPI evidence is visible.
Evidence effectiveness review record, KPI delta evidence, recurrence check
Management review.
ICH Q10 §3 · ISO 13485 §5.6 · ISO 9001 §9.3. Senior management review of QMS performance. Inputs: KPI dashboards, audit results, CAPA effectiveness, customer complaints, supplier performance, regulatory findings, risk register. Outputs: resource decisions, improvement initiatives, QMS objective updates. Cadence should reflect QMS maturity, risk profile, and management-review procedure; AI-augmented QMS surfaces may justify more frequent review.
Evidence management-review minutes, action register, decision log
The three named cycles.
PDCA · PDSA · Audit-Inspection-ClosureThe eight stages run inside three named cycles. The cycles overlap: a continuous-compliance KPI dashboard sits inside a quarterly management-review cycle, which sits inside an annual external-audit cycle, which sits inside a multi-year regulator inspection cycle.
PDCA · Plan-Do-Check-Act.
Deming-Shewhart cycle · ISO 9001 §0.3.2. The native rhythm of the QMS. Plan KPI targets, do operations, check against KPIs, act on deviation. Each rotation is a quarter or shorter for AI-augmented surfaces. Outputs flow into cycle 02.
PDSA · Plan-Do-Study-Act.
The CAPA-effectiveness rhythm. Plan an action, do the action, study the leading indicators after 30-90 days, act on the result (close, extend, escalate). Used in clinical-quality and manufacturing-quality contexts where root cause is iterative.
Audit-Inspection-Closure.
Internal audit programme (12-month rotation through QMS clauses), supplier audit programme (risk-based cadence), external regulator inspection (variable cadence by site risk score), notified-body certification audit (ISO 13485, ISO 9001, ISO/IEC 42001 typically annual surveillance + 3-yearly recertification).
Risk review rhythm.
ICH Q9(R1) · ISO 14971 risk-management file refresh. Risk register reviewed quarterly. New risks added from incident database, drift telemetry, supplier non-conformance. Existing risks rescored. Mitigation plans tracked. Inspector touchpoint: live risk register evidence on demand.
Risk-based inspection regimes.
FDA · EMA · MHRA · PMDA · ANVISAMajor regulators have shifted from calendar-based to risk-based inspection cadence over 2014-2024. The site risk score now drives inspection frequency, scope, and inspector allocation. The shift has been most visible in MHRA (since 2009), FDA (since 2014 site selection model), EMA (since the 2014 risk-based inspection guideline). Sponsors that score well are inspected less; sponsors that score poorly are inspected on shorter cycles with deeper scope.
What evidence each step requires.
The artefact stack inspectors expectAn inspector arrives expecting a documented, retrievable evidence trail. The trail is the same regardless of regulator. Six categories of artefact, retrievable within the audit window.
SOPs & controlled documents.
Active SOP register, version-control, training records mapped to roles, retention per 21 CFR 211.180 / 21 CFR 820.180. Retrieval target: 15 minutes for any active SOP, 4 hours for historical version.
Deviations · investigations.
Deviation log, RCA artefacts, deviation-to-CAPA mapping. Aging analysis (open > 30 / 60 / 90 days). Inspector typical request: every deviation in the past 24 months for a specific product or process.
CAPA & effectiveness.
CAPA record, action evidence, effectiveness verification. CAPA aging KPI. Effectiveness review evidence is the under-cited gap. Audit-trail of approvals.
ALCOA+ evidence.
Audit-trail review SOP and recent-period reviews. Data-flow diagrams. System validation status. MHRA GxP DI guideline 2018 reference. Data-integrity findings remain a recurring cause of inspection escalation; use official FDA and regulator datasets before citing a ranking.
Supplier qualification.
Approved supplier list, supplier risk classification, supplier audit reports, supplier non-conformance log, supplier-rooted CAPA. ICH Q10 + 21 CFR 820.50 + ISO 13485 §7.4.
Management review.
Management-review minutes for the past 24 months. KPI dashboards with trend. Risk-register review evidence. Action register from prior management review with closure status.
Common failure modes in the flow.
Where the lifecycle breaks · what inspectors actually findThe inspection-readiness flow fails in predictable places. The same failure modes appear across FDA 483 datasets, EMA non-compliance reports, MHRA inspection deficiencies, and ANVISA findings. Recognising the failure mode lets the sponsor pre-empt the citation.
CAPA effectiveness not verified.
Most under-cited gap. CAPA closed without leading-indicator confirmation. Recurrence shows up six months later, gets flagged at next inspection as evidence the CAPA was inadequate. ICH Q10 §3.2.4 cites it explicitly.
Mock audit not mocked.
"Mock audit" treated as document review, not as an inspection simulation. Auditor never asks for documents from cold. Site never practises retrieval under pressure. Pre-inspection review then finds gaps the day before the live event.
Audit-trail review missing.
21 CFR Part 11 audit trails generated but not reviewed. MHRA GxP DI explicitly cites the absence of audit-trail review SOP and recent-period reviews. Top-3 data-integrity 483.
Risk register stale.
ICH Q9(R1) requires risk management to be ongoing. Stale registers (last refreshed >6 months) flagged as evidence of broken risk-based thinking. New incidents not feeding back.
483 response insufficient.
Response addresses correction (immediate fix) but not corrective (recurrence prevention) or preventive (similar-event prevention). FDA escalates to Warning Letter when the response shows no systemic understanding.
Management review perfunctory.
Slide deck, no decisions, no action register. Inspector reads minutes from past 24 months, finds nothing changed quarter-over-quarter. Management review cited as ineffective · an ICH Q10 §3 finding.
Source register.
official anchors · interpretation separatedQMSR final rule.
Federal Register final rule amending the Quality System Regulation; effective date and FDA-specific overlays should be read from the rule text.
21 CFR Part 820.
Current legal text for FDA device quality-system requirements; use this as the live clause anchor for QMSR references.
Q9(R1) quality risk management.
Step 4 guideline for quality-risk-management concepts, subjectivity, formality, and knowledge management.
Q10 pharmaceutical quality system.
Pharmaceutical quality-system reference for management responsibility, lifecycle quality, CAPA, and continual improvement.
Q12 lifecycle management.
Step 4 guideline for established conditions, post-approval change management, and product lifecycle management.
21 CFR Part 11.
Electronic records and electronic signatures rule; use with predicate-rule context and FDA scope guidance.
Data integrity Q&A.
FDA questions-and-answers guidance on data integrity and CGMP; useful for ALCOA+ and audit-trail interpretation.
EudraLex Volume 4.
Official EU GMP page for Annex 11 and related GMP annexes; AI-specific GMP claims should be checked here before publication.
EU AI Act.
Regulation (EU) 2024/1689 official text; used for AI Act timing, high-risk system references, and governance boundaries.
ISO/IEC 42001.
AI management-system standard landing page. Full standard text is paid; public iFeed content should not quote unavailable clauses.
Computer Software Assurance.
FDA guidance PDF for production and quality-system software; useful for CSA and CSV evidence-readiness discussion.
GAMP 5, second edition.
Industry guidance landing page. Treat as implementation guidance, not a regulation; full guide access is controlled by ISPE.