Architecture 1-Pager
Open the Architecture 1-Pager to orient the auditor to the system, then move immediately into a live example below. At a high level:
Quality Unit (QU) holds final decision authority for approval, release, rejection, and closure;
Quality Control (QC) defines acceptance criteria, specifications, and decision rules;
Quality Management System (QMS) governs process structure, workflows, and oversight; and
Quality Assurance (QA) manages execution through workflows, deviations, and CAPA while providing independent oversight of operations.
Audit flows (use based on question type)
'End to End' Traceability
Normal operations. Use for supplier, material, batch, release, and traceability questions.
Deviation / CAPA
Exception handling. Use when the auditor asks what happens when something goes wrong.
Data Integrity
System trust. Use for Part 11, access, validation, records, and data integrity questions.
Change Control
Controlled state management. Use when the auditor asks how GMP changes are assessed, approved, implemented, and verified.
'End to End' Traceability (Supplier → Release)
Use this when the auditor wants one connected story from supplier qualification through final release, shown in a consistent audit-ready format: brief description, SOP, form, and evidence.
Quality Unit (QU) Control Points — Non-Delegable Authority
These control points are embedded across the lifecycle under 21 CFR Part 111. Operations execute GMP activities, QA administers QMS workflows, and the Quality Unit (QU) retains independent decision authority.
- QU Decision Authority — approval, release, authorization, and system control
- QU Execution Required — regulatory evaluations including specifications, test methods, material disposition, rework, and batch review
Context / Process Overview
Defines procurement and material control framework and responsibilities.
Supplier Sourcing Verification
Initial supplier screening prior to qualification workflow.
Supplier Qualification Approval
Formal evaluation and approval of suppliers prior to use.
QU DECISION
Supplier qualification and COA reliance approval required under QU authority per 21 CFR 111.75.
Approved Supplier List (ASL) Control
Controlled list of approved suppliers for purchasing and use.
Material Specifications & Test Methods Approval
Defines approved material specifications, acceptance criteria, and analytical test methods used for material acceptance and verification prior to use.
QU DECISION AUTHORITY
Specifications, acceptance criteria, and analytical test methods are established and approved under Quality Unit authority within the QC control framework and administered through QA-controlled specification management prior to use in sampling, testing, and material readiness activities per 21 CFR 111.70 and 111.75.
Supplier Documentation Verification (COA)
Verification of supplier COAs and supporting documentation prior to reliance.
QU DECISION
COA reliance and acceptance controls approved under QU authority per 21 CFR 111.75.
Receiving Inspection
Inspection of incoming materials for condition and compliance.
Container Condition Verification
Verification of packaging integrity and contamination risk.
Material Review & Disposition
Evaluation of material against specifications and determination of accept/reject status.
QU EXECUTION REQUIRED
Material review and disposition must be performed under QU control per 21 CFR 111.113.
Master Manufacturing Record (MMR) Approval
Approved manufacturing instructions governing batch execution.
QU DECISION
MMR approval required under QU authority per 21 CFR 111.205 and 111.210.
Manufacturing Execution (BPR)
Execution of batch production record with full documentation.
QU EXECUTION REQUIRED
Rework or reprocessing decisions must be evaluated under QU control per 21 CFR 111.103.
Batch Record Review
Comprehensive review of batch documentation and deviations.
QU EXECUTION REQUIRED
Batch record review must be performed under QU control per 21 CFR 111.113.
Final Release & Disposition
Final release authorization and disposition of product.
QU DECISION
Final release and disposition decisions are non-delegable QU authority per 21 CFR 111.113.
Deviation / CAPA (Event → Investigation → Disposition → Prevention)
Use this when the auditor asks how issues, deviations, complaints, or unexpected events are controlled, investigated, and resolved under Quality Unit authority.
Quality Unit (QU) Control — Non-Delegable Authority
Deviation handling, investigation, CAPA, complaint evaluation, and returned product decisions are governed under 21 CFR Part 111 as non-delegable Quality Unit responsibilities. QA administers workflows and evidence routing; however:
- QU Execution Required — investigation conclusions, root cause determination, CAPA approval, complaint evaluation, returned product disposition
- QU Decision Authority — final disposition, closure, and release impact decisions
Deviation / Event Trigger
An event such as an OOS result, process deviation, complaint, or unexpected condition initiates the deviation workflow.
Deviation Logging & Initial Classification
The event is formally recorded, categorized by severity, and assessed for escalation and product impact.
Immediate Containment & Control
Affected materials, batches, or processes are controlled to prevent further impact (hold, quarantine, stop production).
QU EXECUTION REQUIRED
Initial product impact assessment and containment actions must be evaluated under QU control per 21 CFR 111.113.
Investigation & Root Cause Determination
A structured investigation determines root cause, scope, and whether other lots, materials, or systems are impacted.
QU EXECUTION REQUIRED
Investigation conclusions and root cause determinations must be performed under QU authority per 21 CFR 111.113.
Complaint Evaluation (if applicable)
Complaints linked to deviations are evaluated for product quality impact and investigation requirements.
QU EXECUTION REQUIRED
Complaint evaluation must be performed under QU control per 21 CFR 111.560.
Returned Product Evaluation (if applicable)
Returned products are assessed for quality, disposition, and potential impact on distributed lots.
QU EXECUTION REQUIRED
Returned product evaluation and disposition must be performed under QU authority per 21 CFR 111.535.
CAPA Definition & Approval
Corrective actions address the immediate issue; preventive actions address systemic root cause and recurrence prevention.
QU EXECUTION REQUIRED
CAPA plans, risk evaluation, and effectiveness criteria must be approved under QU control per 21 CFR 111.140.
Change Control (if required)
CAPA actions requiring changes to processes, specifications, suppliers, or systems are formally controlled and approved.
CAPA Effectiveness Verification
CAPA actions are verified for effectiveness to ensure root cause is resolved and recurrence is prevented.
QU EXECUTION REQUIRED
Effectiveness verification must be evaluated under QU authority to confirm closure validity.
Data Integrity / System Control (Access → Validation → Governance → Records)
Use this when the auditor asks about Part 11, data integrity, system validation, access control, and record governance.
Quality Unit (QU) Control — Data Integrity & System Governance
Electronic systems, records, and data integrity controls must ensure accuracy, completeness, and traceability under 21 CFR Part 111 and Part 11. IT administers systems, QA administers workflows, and the Quality Unit (QU) retains oversight and approval authority.
- QU Decision Authority — validation approval, system suitability, and record control governance
- QU Execution Required — evaluation of data integrity risks, validation conclusions, and record integrity determinations
Primary Control Points (Open Based on Question)
Start with the relevant control domain below based on the auditor’s question, then demonstrate using system records.
Access & Security
Validation & System Control
Data Integrity & Records
System Access Control & Authorization
User access is controlled based on roles, responsibilities, and authorization to ensure only qualified personnel can create or modify GMP records.
QU DECISION
System access controls and role definitions are approved under Quality Unit oversight to ensure data integrity and segregation of duties.
Audit Trail & Activity Logging
Systems maintain secure, computer-generated audit trails capturing creation, modification, and deletion of GMP records.
QU EXECUTION REQUIRED
Audit trail review and data integrity assessments must be performed under QU control to ensure completeness and detect unauthorized changes.
System Validation (Part 11 Compliance)
Computerized systems used in GMP activities are validated to ensure accuracy, reliability, and consistent intended performance.
QU EXECUTION REQUIRED
Validation conclusions, risk assessments, and acceptance must be performed under QU control per validation program requirements.
System Lifecycle & Change Control
Changes to validated systems are controlled, assessed for impact, and approved prior to implementation.
QU DECISION
System changes impacting GMP records must be reviewed and approved under QU authority.
Data Integrity Governance (ALCOA+)
Data must be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available.
QU EXECUTION REQUIRED
Data integrity risks, controls, and periodic reviews must be evaluated under QU authority to ensure compliance with ALCOA+ principles.
Record Creation & Completeness
Records are created at the time of activity and must be complete, accurate, and attributable.
Record Review & Approval
Records are reviewed for completeness, accuracy, and compliance prior to approval and use in decision-making.
QU EXECUTION REQUIRED
Record review supporting GMP decisions must be performed under QU control to ensure integrity and reliability.
Record Retention & Availability
Records are securely retained, protected from loss or alteration, and readily retrievable for inspection.
QU DECISION
Record retention, protection, and availability are governed under QU oversight per 21 CFR 111.605.
Anchor responses in controls: access → audit trail → validation → governance → records. Demonstrate with real system evidence, not policy statements.
Change Control (Controlled State Management)
Use this when the auditor asks how changes to GMP systems, processes, specifications, documents, or records are controlled, evaluated, and implemented.
Quality Unit (QU) Control — Change Governance
Change Control governs all modifications to controlled GMP systems, processes, specifications, documents, and records. Changes may originate from CAPA, validation, continuous improvement, supplier updates, or system enhancements.
- QU Decision Authority — approval of changes impacting GMP processes, specifications, systems, and records
- QU Execution Required — evaluation of change impact, risk assessment, and determination of validation or regulatory impact
Change Trigger & Initiation
Changes may be initiated from CAPA actions, deviations, process improvements, supplier updates, system upgrades, or document revisions.
Change Classification & Scope Definition
Changes are classified based on impact (minor, major, critical) and scope (process, system, specification, supplier, document).
Impact Assessment & Risk Evaluation
Assessment of impact on product quality, safety, regulatory compliance, validation state, and data integrity.
QU EXECUTION REQUIRED
Change impact evaluation and risk determination must be performed under QU authority to ensure GMP compliance and controlled state integrity.
Change Approval
Proposed changes are reviewed and approved prior to implementation, including cross-functional input where required.
QU DECISION
Changes impacting GMP processes, specifications, systems, or records must be approved under QU authority prior to implementation.
Change Implementation
Approved changes are implemented in a controlled manner, including updates to SOPs, forms, systems, specifications, suppliers, or MMRs.
Validation / Verification (if required)
Changes affecting validated systems or processes require revalidation or verification to confirm continued control.
QU EXECUTION REQUIRED
Validation and verification conclusions must be evaluated under QU authority to ensure system and process integrity.
Document & Record Updates
Updates to SOPs, forms, specifications, and records are controlled to ensure consistency with the approved change.
Training & Communication
Personnel are trained on changes prior to implementation to ensure correct execution.
Effectiveness Verification
Changes are evaluated post-implementation to confirm intended outcomes and absence of unintended consequences.
QU EXECUTION REQUIRED
Effectiveness and impact verification must be performed under QU authority to confirm the system remains in a controlled state.
Change Closure
Formal closure confirms all required actions, validations, documentation updates, and training have been completed.
QU DECISION
Final closure of change control records is approved under QU authority, confirming controlled implementation.
Anchor responses in control of state: what changed, why it changed, how it was evaluated, how it was implemented, and how control was re-established.
Highest-risk topics to over-prepare
Supplier qualification / ASLPROC family pack, Supplier Quality Program, qualification WIN, ASL log.
COA reliance and identityQC-REQ, supplier docs verification, receiving identity checks, QCL and QA review points.
Release authorityQA release, QU gates, QC-REC governance, batch record review checklists.
Data integrity / Part 11L0 foundation, QC-DI docs, validation program, IT family pack.
If pressed on a weak point, shift from abstract explanation to a specific record path immediately. The risk is rarely missing structure; it is usually slow demonstration.
Audit Q&A matrix
| Likely auditor question | What they really mean | Owner | Open first | Backup proof | Notes |
|---|---|---|---|---|---|
| Give me a brief overview of your QMS structure. | Show the system is intentional, layered, and navigable. | QUQMS | Auditor briefing Architecture 1-pager |
L0 foundation Unified Governance Manual |
QMSHigh |
| Who has final authority for release, disposition, and supplier approval? | Prove non-delegable Quality Unit authority. | QU | QU Gates | QC-REQ Index QU authority |
QUHigh |
| How do you know your SOP universe is complete? | Show there are no orphan processes or undocumented control gaps. | QMS | SOP Register | Regulatory Crosswalk Architecture & Evidence Audit |
QMSMedium |
| How do you trace a lot backward and forward? | Need immediate trace and recall readiness. | QMSWH | Traceability & Recall Program | WH family pack Recall WIN |
QMSWHHigh |
| How do you ensure suppliers are qualified before use? | Show the qualification gate and who approves it. | PROCQU | Supplier qualification WIN | PROC family pack Supplier Quality Program |
PROCHigh |
| How do you prevent purchasing from using unapproved suppliers? | Show a live control, not just policy language. | PROC | P2P authorize WIN | ASL log WIN Source record |
PROCHigh |
| How do you verify supplier-provided documents and COAs? | Prove you do not rely blindly on supplier paperwork. | PROCQA | Supplier docs verify WIN | Supplier documentation review Supplier Quality Program |
PROCHigh |
| What is the difference between sourcing and purchasing? | Show role separation and avoid control overlap. | PROC | PROC family pack | PROC auditor Q&A Sourcing how-to |
PROCMedium |
| How do you control outsourced service providers or contract manufacturers? | Prove supplier oversight extends beyond raw material vendors. | QUPROC | Supplier Quality Program | PROC family pack L0 foundation |
PROCQMSHigh |
| What happens when material arrives at the warehouse? | Show controlled receipt, condition check, and status control. | WH | WH receiving inspection | WH family pack Container condition checklist |
WHHigh |
| How do you segregate quarantine, released, and rejected materials? | Need visual and record-based status control. | WHMH | Status segregation verification | Quarantine area verification Status maintain artifact |
WHMHHigh |
| How do you ensure FIFO / FEFO is followed? | Show inventory rotation controls. | WH | FIFO / FEFO verification | WH deliverables | WHMedium |
| How do you control returned materials? | Need evaluation, segregation, and disposition path. | WHQA | Returned material evaluation | Returns WIN QC-REQ Index |
WHQAMedium |
| How do you control material movement and status during internal transfers? | Show that movement never breaks traceability or status. | MH | Material movement verification | Segregation / status control WIN MH family pack |
MHHigh |
| How do you know material is ready before it is issued to production? | Show readiness gate, not just physical availability. | MHQA | Readiness gate WIN | Readiness execution WIN Issuance WIN |
MHHigh |
| How is production controlled against an approved master record? | Show execution against a controlled MMR and BPR. | PRODQU | MMR example | BPR WIN PROD family pack |
PRODHigh |
| What happens if there is an in-process deviation? | Show stop / escalate / workflow path. | PRODQA | Deviation WIN | QC-REQ Index Foreign material control WIN |
PRODQAHigh |
| How do you verify line readiness before starting production? | Need pre-op and hygiene readiness evidence. | PROD | Pre-operation readiness | Cleaning verification Personnel hygiene verification |
PRODMedium |
| How do you control foreign material risks? | Show preventive and response controls, not just awareness. | PROD | Foreign material control | QC-REQ Index FM control WIN |
PRODMedium |
| How do you prevent label mix-ups and packaging errors? | Show label verification and line clearance controls. | PKGQA | Label verification | Line clearance PKG family pack |
PKGHigh |
| How do you verify packaging in-process controls? | Need live checks during packaging, not just set-up. | PKGQC-IPC | In-process packaging | PKG deliverables Shipping verification checklist |
PKGMedium |
| How do you know the area was clean before use? | Show sanitation verification, not just a schedule. | SANPROD | Pre-operation sanitation verification | SAN family pack Facility hygienic condition |
SANMedium |
| How do you manage employee hygiene and pest control? | Show foundational GMP hygiene controls. | SAN | Employee hygiene compliance | Pest control inspection SAN family pack |
SANLow |
| How do you control facility and utility conditions that affect product quality? | Show maintenance is quality-linked, not just operational. | MAINT | MAINT family pack | Compressed air Water quality |
MAINTMedium |
| How do you manage preventive maintenance and equipment suitability? | Need evidence of planned upkeep and impact awareness. | MAINTQA | Preventive maintenance | Instrument/system suitability spec MAINT deliverables |
MAINTMedium |
| Where are your acceptance rules defined and who owns them? | Need the control framework, not scattered checklists. | QC-IPCQU | QC-REQ Index | QC governance framework Rules framework |
QC-IPCHigh |
| How do you verify incoming material identity and condition? | Show checklists and decision logic for receipt. | QC-IPCWH | Receiving label identity checklist | Container condition checklist Component identity spec |
QC-IPCHigh |
| How do you review batch records before release? | Need objective, defined batch review evidence. | QC-IPCQA | Batch record review checklist | Required QC operations QA release WIN |
QC-IPCQAHigh |
| How do you ensure lab methods and results are suitable and reviewed? | Need method suitability plus independent result review. | QCLQU | Test method verification | Test results review Analytical method suitability |
QCLHigh |
| How do you control sampling plans and sample labeling? | Need representative sampling and traceable samples. | QCL | Sampling plan verification | Sample label verification Sampling plan governance |
QCLMedium |
| What happens when there is a deviation, complaint, CAPA, or change? | Show the controlled workflow system. | QA | QA index | Deviation, CAPA, Change, Complaint | QAHigh |
| How is final release performed and documented? | Need independent review and final authorization path. | QAQU | Release WIN | QU Gates Required QC operations |
QAQUHigh |
| How are reserves, returns, and stability handled? | Need lifecycle control after routine production. | QA | Reserve WIN | Returns WIN Stability WIN |
QAMedium |
| How do you train people before they perform GMP work? | Need role-based competency, not generic onboarding. | TALQMS | TAL index | Supplier / procurement control training L0 foundation |
TALMedium |
| How do you keep role expectations and training aligned? | Show role architecture to training linkage. | TAL | Role architecture | TAL family pack | TALLow |
| How do you control access to GMP-relevant systems? | Show controlled access and approval, not ad hoc permissions. | ITQU | System access approval | IT family pack Electronic record system governance |
ITHigh |
| How do you ensure electronic systems remain suitable and validated? | Need validation lifecycle and requalification story. | ITQMS | Validation Program | Validation & requalification governance L0 foundation |
ITQMSHigh |
| How do you ensure data integrity and record completeness? | Need ALCOA+, record traceability, review, and retrieval. | QUQMS | Data integrity governance | Record completeness & traceability Record retention & availability |
QMSHigh |
System Foundation & Control Anchors
| Document | Why it matters | Primary use | Link |
|---|---|---|---|
| Auditor Orientation Briefing | Sets context | Opening meeting | Open |
| L0 Governance Foundation | Enterprise rules and inheritance | Escalation, training, records, Part 11, authority | Open |
| Regulatory Crosswalk | Proves mapped design coverage | Show requirement-to-system linkage | Open |
| QC-REQ Index | Authoritative control logic | Acceptance, escalation, QU gates | Open |
| QU Gates | Non-delegable decisions | Release, rejection, rework, approval authority | Open |
| Traceability & Recall Program | End-to-end trace | Lot trace, recall, back/forward linkage | Open |
| Supplier Quality Program | Supplier tiers and oversight | Supplier qualification, verification, performance | Open |
| Validation Program | Validation and requalification | System suitability, change, revalidation discussion | Open |
Domain landing pages
Mock audit questions
Use these to rehearse the exact transition from architecture → example → evidence.
1. “Give me a quick overview of your quality system.”
Start with the Architecture 1-Pager. Define QU, QC, QMS, and QA briefly. Then transition: “I’ll show you how that works in practice with one real example.”
2. “How do you ensure suppliers are qualified before use?”
Open Golden Thread (Supplier → Release). Walk qualification, ASL, supplier documentation, receiving, and release.
3. “How do you know incoming material is acceptable?”
Stay in Golden Thread. Show receiving inspection, identity checklist, container condition check, and production material acceptance.
4. “Show me how a batch gets released.”
Use Golden Thread. End on QA release and, if pushed, open QU Gates and QC-REC-003 from the matrix/core docs.
5. “What happens when something goes wrong in production?”
Open Deviation / CAPA flow. Show trigger → deviation → investigation → CAPA → change control if needed → QU disposition.
6. “How do you handle deviations, complaints, and CAPA?”
Start with Deviation / CAPA flow, then use the QA rows in the matrix for deeper workflow questions.
7. “How do you ensure your electronic records are trustworthy?”
Open Data integrity / system control. Walk access control → validation → data integrity governance → record traceability → retention.
8. “How do you meet Part 11 expectations?”
Use Data integrity / system control, then open validation program and electronic record governance.
9. “Can you trace this lot backward and forward?”
Open Traceability & Recall Program from System Foundation & Control Anchors. If helpful, anchor back to Golden Thread.
10. “How do you know your system is complete?”
Use Regulatory Crosswalk and SOP Register from Core proof docs. Keep it short and move back to real examples if the auditor continues.
Best practice: do not answer the first substantive question with more architecture. Answer it with one of the three audit flows.
How to use this live
- Start with the Architecture 1-Pager and keep the explanation to under one minute.
- Move immediately into the most relevant audit flow: Golden Thread, Deviation / CAPA, or Data Integrity.
- When a question comes, jump straight to the matrix row and open the “Open first” link.
- Only open “Backup proof” if the auditor drills down.
- Keep QU Gates and QC-REQ open in a separate tab the entire time.
This page is intentionally opinionated: it favors speed and demonstrability over exhaustiveness. That is what makes a system feel auditor-friendly.