Flow: audit & inspection-readiness.
Inspection-readiness is not an event · it is a lifecycle. Eight named stages run continuously, three named cycles run on cadence, one risk-based inspection regime decides who gets visited and how often. Every stage has a deliverable, a review point, and a regulatory artefact. Skipping a stage is the most common cause of late-stage 483 escalation.
The eight-stage inspection-readiness lifecycle.
Continuous compliance · mock · pre-inspection · live · 483 · CAPA · effectiveness · management reviewThe lifecycle is sequential and gated. Each stage has a documented deliverable. Each gate is what the inspector will look for. The named cycles in §02 run as overlays on top of these stages.
Continuous compliance monitoring.
Live KPIs running against the QMS surface: open deviations, CAPA age, training compliance, audit observations open, change-control aging, supplier non-conformance rate. ALCOA+ alignment. By 2027 the KPI set is dashboarded and refreshed at least monthly · daily for AI-augmented surfaces.
Evidence KPI dashboard, trend report, management-review snapshot
Mock audit.
Internal or third-party simulation of an external inspection. Scoped against the regulator (FDA QSIT, EMA EU PIC/S, MHRA OOS, ANVISA RDC 658). Auditor walks the sponsor through document retrieval, employee interviews, gemba, data-integrity sampling. Output: mock-audit report with findings classified critical / major / minor.
Duration 3-5 days on-site
Evidence mock-audit report, simulated 483, action list
Pre-inspection review.
Triggered by inspection notification (FDA: typically 5 working days for routine; EMA national: 4-8 weeks; MHRA: 4-6 weeks; PMDA: variable). Document binder readied, personnel briefed, hosting roles assigned, retrieval drills run. Translation arrangements where applicable. Site-readiness checklist closed.
Duration 2-6 weeks
Evidence readiness checklist, briefing log, retrieval drill outcomes
Regulator inspection.
The live event. FDA Form 482 (notice of inspection) issued at start. Daily wrap-up meetings standard. End-of-inspection meeting summarises observations. Sponsor scribe captures every request. Documents provided through controlled handover, not direct desk-side access. ALCOA+ posture maintained throughout.
Evidence daily log, document handover register, scribe notes
483 / inspection response.
FDA Form 483 issued if observations made. Sponsor 15-business-day response window (recommended, not statutory). EMA non-compliance reports trigger CAPA timeline negotiated with the rapporteur authority. Response includes commitment, root-cause analysis, action plan, timeline, evidence of immediate-action steps already taken.
Evidence 483 response letter, CAPA initiated, evidence of immediate action
CAPA · correction + corrective + preventive action.
21 CFR 820.100 · ISO 13485 §8.5 · ICH Q10. Investigation, root-cause analysis (5-why, fishbone, fault-tree as appropriate), correction (immediate fix), corrective action (recurrence prevention), preventive action (similar-event prevention). Each action has owner, due date, verification approach. CAPA backlog and CAPA aging are themselves KPIs.
Evidence CAPA record, RCA artefact, action evidence
Effectiveness verification.
The under-cited stage. ICH Q10 §3.2.4. CAPA effectiveness reviewed 30-90 days after closure: did the action prevent recurrence, did the leading indicator move, was the systemic root cause addressed. Inspectors increasingly cite missing or weak effectiveness verification as a 483 in its own right (rising 2023-2026).
Evidence effectiveness review record, KPI delta evidence, recurrence check
Management review.
ICH Q10 §3 · ISO 13485 §5.6 · ISO 9001 §9.3. Senior management review of QMS performance. Inputs: KPI dashboards, audit results, CAPA effectiveness, customer complaints, supplier performance, regulatory findings, risk register. Outputs: resource decisions, improvement initiatives, QMS objective updates. Cadence increasing 2026-2030 from annual to quarterly under AI-augmented QMS.
Evidence management-review minutes, action register, decision log
The three named cycles.
PDCA · PDSA · Audit-Inspection-ClosureThe eight stages run inside three named cycles. The cycles overlap: a continuous-compliance KPI dashboard sits inside a quarterly management-review cycle, which sits inside an annual external-audit cycle, which sits inside a multi-year regulator inspection cycle.
PDCA · Plan-Do-Check-Act.
Deming-Shewhart cycle · ISO 9001 §0.3.2. The native rhythm of the QMS. Plan KPI targets, do operations, check against KPIs, act on deviation. Each rotation is a quarter or shorter for AI-augmented surfaces. Outputs flow into cycle 02.
PDSA · Plan-Do-Study-Act.
The CAPA-effectiveness rhythm. Plan an action, do the action, study the leading indicators after 30-90 days, act on the result (close, extend, escalate). Used in clinical-quality and manufacturing-quality contexts where root cause is iterative.
Audit-Inspection-Closure.
Internal audit programme (12-month rotation through QMS clauses), supplier audit programme (risk-based cadence), external regulator inspection (variable cadence by site risk score), notified-body certification audit (ISO 13485, ISO 9001, ISO/IEC 42001 typically annual surveillance + 3-yearly recertification).
Risk review rhythm.
ICH Q9(R1) · ISO 14971 risk-management file refresh. Risk register reviewed quarterly. New risks added from incident database, drift telemetry, supplier non-conformance. Existing risks rescored. Mitigation plans tracked. Inspector touchpoint: live risk register evidence on demand.
Risk-based inspection regimes.
FDA · EMA · MHRA · PMDA · ANVISAMajor regulators have shifted from calendar-based to risk-based inspection cadence over 2014-2024. The site risk score now drives inspection frequency, scope, and inspector allocation. The shift has been most visible in MHRA (since 2009), FDA (since 2014 site selection model), EMA (since the 2014 risk-based inspection guideline). Sponsors that score well are inspected less; sponsors that score poorly are inspected on shorter cycles with deeper scope.
What evidence each step requires.
The artefact stack inspectors expectAn inspector arrives expecting a documented, retrievable evidence trail. The trail is the same regardless of regulator. Six categories of artefact, retrievable within the audit window.
SOPs & controlled documents.
Active SOP register, version-control, training records mapped to roles, retention per 21 CFR 211.180 / 21 CFR 820.180. Retrieval target: 15 minutes for any active SOP, 4 hours for historical version.
Deviations · investigations.
Deviation log, RCA artefacts, deviation-to-CAPA mapping. Aging analysis (open > 30 / 60 / 90 days). Inspector typical request: every deviation in the past 24 months for a specific product or process.
CAPA & effectiveness.
CAPA record, action evidence, effectiveness verification. CAPA aging KPI. Effectiveness review evidence is the under-cited gap. Audit-trail of approvals.
ALCOA+ evidence.
Audit-trail review SOP and recent-period reviews. Data-flow diagrams. System validation status. MHRA GxP DI guideline 2018 reference. Data-integrity findings still the #1 cause of 483 escalation 2023-2026.
Supplier qualification.
Approved supplier list, supplier risk classification, supplier audit reports, supplier non-conformance log, supplier-rooted CAPA. ICH Q10 + 21 CFR 820.50 + ISO 13485 §7.4.
Management review.
Management-review minutes for the past 24 months. KPI dashboards with trend. Risk-register review evidence. Action register from prior management review with closure status.
Common failure modes in the flow.
Where the lifecycle breaks · what inspectors actually findThe inspection-readiness flow fails in predictable places. The same failure modes appear across FDA 483 datasets, EMA non-compliance reports, MHRA inspection deficiencies, and ANVISA findings. Recognising the failure mode lets the sponsor pre-empt the citation.
CAPA effectiveness not verified.
Most under-cited gap. CAPA closed without leading-indicator confirmation. Recurrence shows up six months later, gets flagged at next inspection as evidence the CAPA was inadequate. ICH Q10 §3.2.4 cites it explicitly.
Mock audit not mocked.
"Mock audit" treated as document review, not as an inspection simulation. Auditor never asks for documents from cold. Site never practises retrieval under pressure. Pre-inspection review then finds gaps the day before the live event.
Audit-trail review missing.
21 CFR Part 11 audit trails generated but not reviewed. MHRA GxP DI explicitly cites the absence of audit-trail review SOP and recent-period reviews. Top-3 data-integrity 483.
Risk register stale.
ICH Q9(R1) requires risk management to be ongoing. Stale registers (last refreshed >6 months) flagged as evidence of broken risk-based thinking. New incidents not feeding back.
483 response insufficient.
Response addresses correction (immediate fix) but not corrective (recurrence prevention) or preventive (similar-event prevention). FDA escalates to Warning Letter when the response shows no systemic understanding.
Management review perfunctory.
Slide deck, no decisions, no action register. Inspector reads minutes from past 24 months, finds nothing changed quarter-over-quarter. Management review cited as ineffective · an ICH Q10 §3 finding.