Internal Audit Report — 2026-02-23

Executive Summary

Overall assessment: NOT READY for DAkkS accreditation application

The Analyt MTC QMS demonstrates exceptional technical infrastructure — Git-based document control, programmatic equipment management with automated drift analysis, and a well-structured DITA publishing pipeline. However, the system has fundamental gaps that would prevent successful DAkkS accreditation. Multiple critical deviations exist across process requirements (complaints, nonconforming work, reporting, contract review) and the entire management system closure loop (corrective actions, internal audits, management reviews). Approximately 25 topic files required by ISO 17025 exist only as empty shells, and no calibration certificate template, no uncertainty budget completion (all CMC values "TBD"), and no ILC/PT participation have been achieved. The technical measurement capability is strong, but the quality management superstructure needed to demonstrate trustworthy results is largely absent.

Top Priority Actions

Readiness Heat Map

Rating key: 1 = No deviation | 2 = Non-critical deviation | 3 = Critical deviation | n/a = Not applicable

Coverage = topic/procedure exists and addresses clause requirements. Evidence = objective evidence (documents, records, data) is present. Maturity = evidence of ongoing implementation, review, and improvement. Levels: full | good | partial | minimal | n/a.

4.1 Impartiality

Norm: ISO/IEC 17025:2017, clause 4.1 (4.1.1–4.1.5). Sub-clauses cover: impartial conduct (4.1.1), management commitment (4.1.2), no commercial pressure (4.1.3), ongoing risk identification (4.1.4), risk elimination/minimization (4.1.5).

QMS reference documents: commitment_to_impartiality.dita (placeholder text only), quality_policy.dita (EMPTY), risk_management_preventive_actions.dita (EMPTY), organizational_chart.dita

Findings: The impartiality framework is fundamentally absent from the QMS. The file commitment_to_impartiality.dita exists but contains only placeholder test text rather than an actual impartiality commitment. The quality_policy.dita file is an empty shell. The risk_management_preventive_actions.dita file is also empty. A structural impartiality risk was identified: the organizational chart shows the Lab Manager (Matthias Boularot) serves as backup for both Sales and CEO functions (Alexandra Roberg). This dual-role arrangement creates a potential conflict of interest between commercial pressures and laboratory impartiality that must be formally assessed and mitigated per 4.1.4. No ongoing risk identification mechanism exists (4.1.4), and no procedure for eliminating or minimizing identified risks is documented (4.1.5). ABW-001 (kritisch): No impartiality policy, no risk identification, no risk mitigation. All five sub-clauses (4.1.1 through 4.1.5) are unmet.

Lfd.-Nr. / ON

Description / Date

1. ED

Documentation/topics/quality_compliance_management/commitment_to_impartiality.dita — placeholder text only (2025-03-10)

2. ED

Documentation/topics/quality_compliance_management/quality_policy.dita — EMPTY shell (2025-03-10)

3. ED

Documentation/topics/continuous_improvement_change_control/risk_management_preventive_actions.dita — EMPTY shell (2025-03-10)

4. ON

Documentation/topics/organizational_structure_personnel_management/organizational_chart.dita — shows Lab Manager backs up Sales and CEO (2025-03-10)

1. Searched for impartiality policy — found placeholder text only in commitment_to_impartiality.dita
2. Checked quality_policy.dita for overarching policy — EMPTY
3. Checked risk_management_preventive_actions.dita for risk identification — EMPTY
4. Reviewed organizational_chart.dita — identified structural risk (Lab Manager dual-role)

4.2 Confidentiality

Norm: ISO/IEC 17025:2017, clause 4.2 (4.2.1–4.2.4). Sub-clauses cover: enforceable confidentiality agreements (4.2.1), disclosure obligations (4.2.2), third-party information (4.2.3), personnel confidentiality obligations (4.2.4).

QMS reference documents: confidentiality_agreements.dita (EMPTY), document_control_change_management.dita (mentions Entra ID authentication)

Findings: No confidentiality framework exists in the QMS. The confidentiality_agreements.dita file is an empty shell. No NDA templates were found anywhere in the repository. No information classification system has been established. No procedure exists for notifying customers when legally required to disclose information (4.2.2). No mechanism ensures personnel maintain confidentiality of information obtained from sources other than the customer (4.2.3). The only positive finding is that Entra ID authentication exists for the WebHelp platform, providing basic access control to QMS documents. ABW-002 (kritisch): No confidentiality policy, no NDA templates, no information classification, no disclosure notification procedure, no personnel confidentiality acknowledgements. All four sub-clauses (4.2.1 through 4.2.4) are unmet.

Lfd.-Nr. / ON

Description / Date

5. ED

Documentation/topics/quality_compliance_management/confidentiality_agreements.dita — EMPTY shell (2025-03-10)

6. ON

Documentation/topics/quality_compliance_management/document_control_change_management.dita — mentions Entra ID authentication (2025-03-10)

1. Searched for confidentiality policy — confidentiality_agreements.dita is EMPTY
2. Searched for NDA templates — none found in repository
3. Found Entra ID authentication as infrastructure control only

5 Structural Requirements

Norm: ISO/IEC 17025:2017, clause 5 (5.1–5.7). Sub-clauses cover: legal entity (5.1), management responsibility (5.2), scope definition (5.3), compliance with requirements (5.4), organizational structure (5.5), QMS authority/resources (5.6), management communication (5.7).

QMS reference documents: organizational_chart.dita, authorization_competency_matrix.dita, accreditation_scope.dita, document_control_change_management.dita, compliance_tracking_legal_obligations.dita (EMPTY), quality_policy.dita (EMPTY), management_reviews.dita (EMPTY), corrective_preventive_actions_capa.dita (EMPTY)

Findings: The structural requirements are partially addressed. The organizational chart clearly identifies the laboratory structure with CEO (Alexandra Roberg) and Lab Manager (Matthias Boularot), and the authorization_competency_matrix.dita provides 15 specific authorizations with named personnel and dates. The accreditation_scope.dita defines the scope of activities but all CMC values remain "TBD". Document control via Git is well-established. However, critical gaps exist: the legal entity status is inferable but not formally declared (5.1). Management responsibility is identifiable through cross-reference but not formally stated (5.2). The compliance_tracking_legal_obligations.dita file is empty (5.4). The quality_policy.dita is empty, meaning no communication on QMS effectiveness exists (5.7). The management_reviews.dita and corrective_preventive_actions_capa.dita are both empty, leaving the management communication loop broken. ABW-003 (kritisch): No formal legal entity declaration in QMS (5.1). No quality policy or management communication process (5.7). CMC values all "TBD" (5.3).

Lfd.-Nr. / ON

Description / Date

7. ON

Documentation/topics/organizational_structure_personnel_management/organizational_chart.dita (2025-03-10)

8. ON

Documentation/topics/organizational_structure_personnel_management/authorization_competency_matrix.dita — 15 authorizations, named personnel (2025-03-10)

9. ON

Documentation/topics/quality_compliance_management/accreditation_scope.dita — scope defined, CMC values "TBD" (2025-03-10)

10. ON

Documentation/topics/quality_compliance_management/document_control_change_management.dita — Git-based change control (2025-03-10)

11. ED

Documentation/topics/quality_compliance_management/compliance_tracking_legal_obligations.dita — EMPTY (2025-03-10)

12. ED

Documentation/topics/quality_compliance_management/quality_policy.dita — EMPTY (2025-03-10)

13. ED

Documentation/topics/quality_compliance_management/management_reviews.dita — EMPTY (2025-03-10)

14. ED

Documentation/topics/continuous_improvement_change_control/corrective_preventive_actions_capa.dita — EMPTY (2025-03-10)

1. Verified organizational chart identifies lab structure — COMPLETE
2. Verified authorization matrix — 15 authorizations with named personnel
3. Checked accreditation_scope.dita — scope defined but CMC values "TBD"
4. Checked quality_policy.dita — EMPTY, no management communication
5. Checked management_reviews.dita — EMPTY, PDCA loop broken

6.1 General (Resources)

Norm: ISO/IEC 17025:2017, clause 6.1. The laboratory must have personnel, facilities, equipment, systems, and support services required for its activities.

QMS reference documents: Personnel records (6 employees), equipment master list (13 instruments), approved_supplier_list.dita (EMPTY)

Findings: The laboratory demonstrates partial resource adequacy. Personnel records exist for 6 employees with roles and qualifications. The equipment master list covers 13 instruments across 4 categories. However, facilities documentation is not consolidated in a dedicated topic — references are scattered. Support services are critically weak: the approved_supplier_list.dita is empty and 4 of 5 supplier management topics are empty shells, meaning the laboratory cannot demonstrate adequate support service provision. ABW-004 (nicht kritisch): Resource adequacy is partially demonstrated. Support services (supplier management) are undocumented. No consolidated facilities assessment exists.

Lfd.-Nr. / ON

Description / Date

15. ON

Personnel records: 6 employee files with roles and qualifications (2025-03-10)

16. ON

Equipment master list: 13 instruments across 4 categories (2026-02-23)

17. ED

Documentation/topics/supplier_external_provider_management/approved_supplier_list.dita — EMPTY (2025-03-10)

1. Verified personnel records — 6 employees documented
2. Verified equipment master list — 13 instruments across 4 categories
3. Checked supplier management — approved_supplier_list.dita is EMPTY

6.2 Personnel

Norm: ISO/IEC 17025:2017, clause 6.2 (6.2.1–6.2.6). Sub-clauses cover: impartiality and competence (6.2.1), competence requirements documentation (6.2.2), competence assurance (6.2.3), communication of duties (6.2.4), competence management procedures (6.2.5), personnel authorization (6.2.6).

QMS reference documents: authorization_competency_matrix.dita, 7 role descriptions, 6 employee records, commitment_to_impartiality.dita (placeholder only)

Findings: Personnel management shows good structural foundations but lacks operational depth. The authorization_competency_matrix.dita is substantive with named personnel, specific activities, competency levels, and assessment dates. Seven role descriptions exist covering all key functions (lab_manager_quality_manager, senior_technician, lab_technician, sales, logistics, purchasing, IT). Six employee records contain roles, qualifications, and basic training data. However, training records are minimal (approximately 1 entry per employee) with no evidence of ongoing competence monitoring (6.2.5). No selection or supervision procedures were found (6.2.3). The commitment_to_impartiality.dita contains only placeholder text, meaning personnel impartiality commitments are absent (6.2.4). The Lab Manager self-authorizes for most activities, which creates an authorization gap that should be documented and justified (6.2.6). ABW-005 (nicht kritisch): Training records are minimal. No ongoing competence monitoring. No selection/supervision procedures. Impartiality commitment placeholder only. Self-authorization not justified.

Lfd.-Nr. / ON

Description / Date

18. ON

Documentation/topics/organizational_structure_personnel_management/authorization_competency_matrix.dita — 15 authorizations, named personnel, dated 2025-03-10 (2025-03-10)

19. ON

7 role descriptions (lab_manager, senior_technician, lab_technician, sales, logistics, purchasing, IT) (2025-03-10)

20. ON

6 employee records with roles and qualifications (2025-03-10)

21. ED

Documentation/topics/quality_compliance_management/commitment_to_impartiality.dita — placeholder text only (2025-03-10)

1. Verified authorization matrix — 15 authorizations with named personnel
2. Verified role descriptions — 7 roles covering key functions
3. Checked training records — minimal (1 entry per employee)
4. Checked impartiality commitment — placeholder text only

6.3 Facilities & Environmental Conditions

Norm: ISO/IEC 17025:2017, clause 6.3 (6.3.1–6.3.5). Sub-clauses cover: suitability (6.3.1), documented requirements (6.3.2), monitoring/control/recording (6.3.3), access and contamination controls (6.3.4), non-permanent sites (6.3.5).

QMS reference documents: storage_handling_guidelines.dita, limits_and_calibration_types.dita, molbloc_l_series_mass_flow_calibration.dita, access_control_equipment_security_measures.dita

Findings: Facilities documentation is partial. The laboratory is described as "climate-controlled and continuously monitored" in storage_handling_guidelines.dita. Environmental limits are specified (15-25 deg C, <0.2 deg C/min rate of change) in limits_and_calibration_types.dita. A dashboard-based monitoring system with traffic light stability criteria is described in the calibration procedure. Access control is strong with badge-controlled door, camera, and electronic log. However, no dedicated facility suitability assessment or floor plan exists (6.3.1). Environmental requirements are not consolidated — only temperature is documented; humidity, vibration, and other factors relevant to mass flow calibration are not addressed (6.3.2). The monitoring system exists but has no formal procedure, no monitoring records are retained in the QMS, and the monitoring instruments are not included in the equipment management system and therefore not calibrated or traceably maintained (6.3.3). ABW-006 (nicht kritisch): No consolidated environmental requirements. Monitoring instruments not calibrated. No monitoring records. No facility suitability assessment.

Lfd.-Nr. / ON

Description / Date

22. ON

Documentation/topics/equipment_management/storage_handling_guidelines.dita — "climate-controlled and continuously monitored" (2025-03-10)

23. ON

Documentation/topics/laboratory_procedures_workflows/limits_and_calibration_types.dita — 15-25 deg C, <0.2 deg C/min (2026-02-22)

24. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_series_mass_flow_calibration.dita — dashboard with traffic light criteria (2026-02-22)

25. ON

Documentation/topics/equipment_management/access_control_equipment_security_measures.dita — badge, camera, electronic log (2025-03-10)

1. Found environmental limits in limits_and_calibration_types.dita — 15-25 deg C
2. Found monitoring dashboard in calibration procedure — traffic light criteria
3. Checked for monitoring instrument calibration — not in equipment management system
4. Checked for facility suitability assessment — none found

6.4 Equipment

Norm: ISO/IEC 17025:2017, clause 6.4 (6.4.1–6.4.13). Sub-clauses cover: access to equipment (6.4.1), external equipment (6.4.2), handling/maintenance procedures (6.4.3), pre-use verification (6.4.4), measurement capability (6.4.5), calibration program (6.4.6–6.4.7), calibration status labeling (6.4.8), defective equipment (6.4.9), intermediate checks (6.4.10), correction factors (6.4.11), tamper protection (6.4.12), equipment records (6.4.13).

QMS reference documents: equipment_master_list.dita, equipment_monitoring_drift_analysis.dita, per-device drift pages, device_config.yaml files, generate.py, storage_handling_guidelines.dita, access_control_equipment_security_measures.dita, defective_equipment_non_conformance_reporting.dita (EMPTY)

Findings: Equipment management is one of the strongest areas of the QMS, with an impressive programmatic approach to equipment tracking, drift analysis, and specification compliance. The equipment master list documents 13 instruments across 4 categories with individual DITA-generated pages containing 10-16 year calibration histories. The drift analysis methodology implements Dev/Spec ratios, En numbers, ICD charts, and trend analysis. Equipment specifications are well-documented in device_config.yaml files. Correction factors are properly tracked (6.4.11). Despite this strong technical infrastructure, critical gaps exist: Environmental monitoring instruments are outside the equipment management system (6.4.1). No maintenance plan or formal use procedures exist (6.4.3). Molbox1 A700K SN880 has an anomalous status: last calibrated 2018-08-30, due 2019-08-01, yet status remains "active" — approximately 7 years overdue (6.4.6). defective_equipment_non_conformance_reporting.dita is completely EMPTY — no procedure exists for taking defective equipment out of service (6.4.9). ABW-007 (kritisch): Defective equipment procedure completely absent. Environmental monitoring instruments not under metrological control. No maintenance plan. Molbox SN880 approximately 7 years overdue.

Lfd.-Nr. / ON

Description / Date

26. ON

Documentation/topics/equipment_management/equipment_master_list/equipment_master_list.dita — 13 instruments, 4 categories (2026-02-23)

27. ON

Documentation/topics/equipment_management/equipment_monitoring_drift_analysis.dita — ~500 lines, Dev/Spec, En, ICD, trend (2026-02-22)

28. ON

Per-device drift pages (*_drift.dita) — 13+ devices with multi-year calibration histories (2026-02-23)

29. ON

Resources/Equipment/ device_config.yaml files — programmatic specifications (2026-02-23)

30. ON

src/equipctl/generate.py — equipment page generation tooling (2026-02-23)

31. ON

Documentation/topics/equipment_management/storage_handling_guidelines.dita — return-to-service process (2025-03-10)

32. ON

Documentation/topics/equipment_management/access_control_equipment_security_measures.dita — badge-controlled lab access (2025-03-10)

33. ED

Documentation/topics/equipment_management/defective_equipment_non_conformance_reporting.dita — EMPTY (2025-03-10)

34. ON

Molbox1 A700K SN880 equipment page — last cal 2018-08-30, due 2019-08-01, status "active" (2026-02-23)

1. Verified equipment master list — 13 instruments with comprehensive tracking
2. Verified drift analysis methodology — Dev/Spec, En, ICD, trend across 13+ devices
3. Checked defective equipment procedure — defective_equipment_non_conformance_reporting.dita EMPTY
4. Identified Molbox SN880 anomaly — approximately 7 years overdue for calibration
5. Checked environmental monitoring instruments — not in equipment management system

6.5 Metrological Traceability

Norm: ISO/IEC 17025:2017, clause 6.5 (6.5.1–6.5.3). Sub-clauses cover: documented unbroken calibration chain (6.5.1), SI traceability routes (6.5.2), non-SI references (6.5.3).

QMS reference documents: Equipment master list calibration histories, uncertainties_of_molbloc_l.dita, Fluke Calibration Phoenix certificates, Europascal GmbH certificates, approved_supplier_list.dita (EMPTY), calibration_service_provider_tracking.dita (EMPTY)

Findings: Metrological traceability is well-established in practice. The equipment master list documents 100+ pages of calibration certificate data with uncertainties. SI traceability is achieved through accredited calibration laboratories: Fluke Calibration Phoenix (referencing "Fluke ISO 17025 Quality Manual, QSD 111.41") and Europascal GmbH (DAkkS D-K-15055-01-00). The uncertainty analysis for Molbloc-L traces reference uncertainty (L7) to gravimetric primary standards. Clause 6.5.3 is not applicable as all measurands are SI-traceable. However, no formal traceability policy document exists (6.5.1). The approved_supplier_list.dita and calibration_service_provider_tracking.dita are both empty, meaning provider accreditation status is not formally tracked (6.5.2). Accreditation numbers are recorded in PDF calibration certificates but not in the structured DITA metadata. ABW-008 (nicht kritisch): No formal traceability policy. Provider accreditation status not formally tracked. Accreditation numbers not in structured metadata.

Lfd.-Nr. / ON

Description / Date

35. ON

Equipment master list calibration histories — 100+ detail pages with data and uncertainties (2026-02-23)

36. ON

Documentation/topics/laboratory_procedures_workflows/uncertainties_of_molbloc_l.dita — L7 reference uncertainty traces to gravimetric primary standards (2026-02-22)

37. ON

Fluke Calibration Phoenix certificates — references "Fluke ISO 17025 Quality Manual, QSD 111.41" (N/A external)

38. ON

Europascal GmbH certificates — DAkkS D-K-15055-01-00 (N/A external)

39. ED

Documentation/topics/supplier_external_provider_management/approved_supplier_list.dita — EMPTY (2025-03-10)

40. ED

Documentation/topics/supplier_external_provider_management/calibration_service_provider_tracking.dita — EMPTY (2025-03-10)

1. Verified calibration certificates with uncertainties — 100+ pages in equipment master list
2. Verified SI traceability route — Fluke and Europascal accredited providers
3. Checked formal traceability policy — none found
4. Checked provider tracking — approved_supplier_list.dita and calibration_service_provider_tracking.dita both EMPTY

6.6 Externally Provided Products & Services

Norm: ISO/IEC 17025:2017, clause 6.6 (6.6.1–6.6.3). Sub-clauses cover: suitability assurance (6.6.1), evaluation/monitoring procedures (6.6.2), communicating requirements to providers (6.6.3).

QMS reference documents: approved_supplier_list.dita (EMPTY), supplier_evaluation_reassessment_criteria.dita (EMPTY), calibration_service_provider_tracking.dita (EMPTY), service_contracts_agreements.dita (EMPTY), supplier_issues_resolution_log.dita (EMPTY)

Findings: External provider management is almost entirely absent from the QMS despite the laboratory using multiple external providers. In practice, accredited calibration providers (Europascal GmbH with DAkkS D-K-15055-01-00, Fluke Calibration Phoenix) are used, which is sound practice. However, no documentation supports this practice. All five supplier management files have been empty shells since their creation on 2024-03-08 — 23 months without any content. No suitability criteria for external providers are defined (6.6.1). No procedure or records exist for evaluating and monitoring providers (6.6.2). No documented communication of requirements to providers exists (6.6.3). ABW-009 (kritisch): Complete absence of external provider management. All 5 supplier management files empty for 23 months. No evaluation criteria, no provider records, no requirements communication.

Lfd.-Nr. / ON

Description / Date

41. ED

Documentation/topics/supplier_external_provider_management/approved_supplier_list.dita — EMPTY since 2024-03-08 (2025-03-10)

42. ED

Documentation/topics/supplier_external_provider_management/supplier_evaluation_reassessment_criteria.dita — EMPTY (2025-03-10)

43. ED

Documentation/topics/supplier_external_provider_management/calibration_service_provider_tracking.dita — EMPTY (2025-03-10)

44. ED

Documentation/topics/supplier_external_provider_management/service_contracts_agreements.dita — EMPTY (2025-03-10)

45. ED

Documentation/topics/supplier_external_provider_management/supplier_issues_resolution_log.dita — EMPTY (2025-03-10)

46. ON

Europascal GmbH certificates in equipment pages — DAkkS D-K-15055-01-00 (practice evidence) (N/A external)

47. ON

Fluke Calibration Phoenix certificates in equipment pages (practice evidence) (N/A external)

1. Checked all 5 supplier management files — all EMPTY for 23 months
2. Found practice evidence of accredited providers in equipment calibration certificates
3. No evaluation criteria, records, or requirements communication documented

7.1 Review of Requests, Tenders & Contracts

Norm: ISO/IEC 17025:2017, clause 7.1 (7.1.1–7.1.8). Sub-clauses cover: review procedure (7.1.1), inappropriate methods notification (7.1.2), conformity statements and decision rules (7.1.3), pre-work clarification (7.1.4), contract deviation notification (7.1.5), post-start changes (7.1.6), customer cooperation (7.1.7), review records (7.1.8).

QMS reference documents: review_of_requests_contracts.dita, OSTicket system

Findings: A review_of_requests_contracts.dita exists with a 5-step workflow based on OSTicket, with roles defined. Customer communication via OSTicket is functional (7.1.7). Records are maintained in OSTicket (7.1.8). However, critical gaps exist: no defined decision rule for conformity statements (7.1.3). No procedure for informing the customer of deviations from the contract (7.1.5). No contract amendment re-review process (7.1.6). The review procedure itself is incomplete, lacking external provider coordination and method selection steps (7.1.1). The contract-to-certificate chain is broken. ABW-010 (kritisch): Contract review procedure is incomplete and missing critical elements: no decision rule for conformity statements (7.1.3), no customer deviation notification (7.1.5), no re-review for contract amendments (7.1.6).

Lfd.-Nr. / ON

Description / Date

48. ON

Documentation/topics/laboratory_procedures_workflows/review_of_requests_contracts.dita — 5-step OSTicket workflow (N/A)

49. ON

OSTicket system for customer communication (7.1.7, 7.1.8) (N/A external system)

1. Found review procedure — 5-step OSTicket workflow exists
2. Checked for decision rules — none documented (7.1.3)
3. Checked for deviation notification — none documented (7.1.5)
4. Checked for amendment re-review — none documented (7.1.6)

7.2 Selection, Verification & Validation of Methods

Norm: ISO/IEC 17025:2017, clause 7.2 (7.2.1–7.2.2). Sub-clauses cover: method selection and application (7.2.1.1–7.2.1.7), method validation (7.2.2.1–7.2.2.4).

QMS reference documents: calibrating_a_mass_flow_meter.dita, molbloc_l_uncertainty_analysis.dita, uncertainties_of_molbloc_l.dita, validation_verification_of_methods.dita (EMPTY), leak_uncertainty.dita (EMPTY)

Findings: Method documentation for Molbloc-L technology is technically impressive. The calibrating_a_mass_flow_meter.dita provides detailed procedures with a verification section. The molbloc_l_uncertainty_analysis.dita references JCGM 100:2008. The uncertainties_of_molbloc_l.dita identifies 9 uncertainty components (L1-L9) with distributions and sensitivities. However, method documentation covers only Molbloc-L, not Molbloc-S (approximately half the accreditation scope). The leak term in the measurement model has unquantified uncertainty. Critical gaps: no procedure for method deviations (7.2.1.7). No change impact assessment procedure (7.2.2.2). No validation records (7.2.2.4). The validation_verification_of_methods.dita is empty. ABW-011 (kritisch): No procedure for method deviations. No method change impact assessment. No validation records. Molbloc-S method documentation missing. Leak uncertainty unquantified.

Lfd.-Nr. / ON

Description / Date

50. ON

Documentation/topics/laboratory_procedures_workflows/calibrating_a_mass_flow_meter.dita — detailed Molbloc-L method with verification section (2026-02-22)

51. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_uncertainty_analysis.dita — JCGM 100:2008 referenced (2026-02-22)

52. ON

Documentation/topics/laboratory_procedures_workflows/uncertainties_of_molbloc_l.dita — 9 components (L1-L9) (2026-02-22)

53. ED

Documentation/topics/laboratory_procedures_workflows/validation_verification_of_methods.dita — EMPTY (2025-03-10)

54. ED

Documentation/topics/laboratory_procedures_workflows/leak_uncertainty.dita — EMPTY (2025-03-10)

1. Verified Molbloc-L method documentation — technically detailed
2. Checked for Molbloc-S method — none found (half the scope missing)
3. Checked validation_verification_of_methods.dita — EMPTY
4. Checked leak_uncertainty.dita — EMPTY

7.3 Sampling

Norm: ISO/IEC 17025:2017, clause 7.3 (7.3.1–7.3.3). Sub-clauses cover: sampling plan and procedure (7.3.1), procedure content (7.3.2), sampling records (7.3.3).

QMS reference documents: Not applicable

Findings: Sampling is not applicable to the laboratory's scope of calibration activities. Calibration items are received directly from customers.

Lfd.-Nr. / ON

Description / Date

--

Not applicable

7.4 Handling of Test or Calibration Items

Norm: ISO/IEC 17025:2017, clause 7.4 (7.4.1–7.4.4). Sub-clauses cover: handling procedures (7.4.1), identification system (7.4.2), receipt deviations (7.4.3), storage conditions (7.4.4).

QMS reference documents: storage_handling_guidelines.dita, molbloc_l_series_mass_flow_calibration.dita, authorization_competency_matrix.dita, sample_reception_handling.dita (EMPTY)

Findings: Item handling documentation is scattered and incomplete. The storage_handling_guidelines.dita covers lab equipment handling and return-to-service but not customer DUT reception specifically. The calibration procedure describes DUT scanning, digital signing, and data file generation. The authorization_competency_matrix.dita assigns personnel for reception and shipping. However, sample_reception_handling.dita is an empty placeholder (7.4.1). The identification system exists in practice (Compass service management software) but is undocumented (7.4.2). No deviation recording procedure at receipt exists (7.4.3). Environmental monitoring instruments for storage conditions are not calibrated. ABW-012 (kritisch): No deviation recording procedure at receipt. sample_reception_handling.dita is empty. Identification system undocumented. Customer DUT handling entirely undocumented.

Lfd.-Nr. / ON

Description / Date

55. ON

Documentation/topics/equipment_management/storage_handling_guidelines.dita — lab equipment handling, transport, return-to-service (2025-03-10)

56. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_series_mass_flow_calibration.dita — DUT scanning, digital signing (2026-02-22)

57. ON

Documentation/topics/organizational_structure_personnel_management/authorization_competency_matrix.dita — personnel authorized for reception/shipping (2025-03-10)

58. ED

Documentation/topics/laboratory_procedures_workflows/sample_reception_handling.dita — EMPTY (2025-03-10)

1. Found equipment handling in storage_handling_guidelines.dita — covers lab equipment only
2. Checked sample_reception_handling.dita — EMPTY
3. Checked for deviation recording at receipt — none found
4. Checked environmental monitoring for storage — instruments not calibrated

7.5 Technical Records

Norm: ISO/IEC 17025:2017, clause 7.5 (7.5.1–7.5.2). Sub-clauses cover: content and contemporaneous recording (7.5.1), change traceability (7.5.2).

QMS reference documents: molbloc_l_series_mass_flow_calibration.dita, document_control_change_management.dita, Git commit history

Findings: Technical records have a functional workflow: Compass Software manages service records, digital signatures are used, and data files are generated during calibration. Git provides amendment tracking for QMS documents with full version history. However, no formal technical records policy exists (7.5.1). The raw measurement data tracking outside the DITA pipeline is not documented (7.5.2). While the infrastructure is sound, the policy and procedure layer is missing. ABW-013 (nicht kritisch): No formal technical records policy. Raw measurement data tracking not documented. Policy layer missing despite functional infrastructure.

Lfd.-Nr. / ON

Description / Date

59. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_series_mass_flow_calibration.dita — data file generation, digital signing (2026-02-22)

60. ON

Documentation/topics/quality_compliance_management/document_control_change_management.dita — Git-based amendment tracking (2025-03-10)

61. ON

Git commit history — full audit trail of document changes (2026-02-23)

1. Verified Git-based amendment tracking — complete audit trail
2. Found data file generation in calibration procedure
3. Checked for formal technical records policy — none found

7.6 Evaluation of Measurement Uncertainty

Norm: ISO/IEC 17025:2017, clause 7.6 (7.6.1–7.6.3). Sub-clauses cover: uncertainty contribution identification (7.6.1), calibration uncertainty evaluation (7.6.2), test uncertainty estimation (7.6.3).

QMS reference documents: uncertainties_of_molbloc_l.dita, molbloc_l_uncertainty_analysis.dita, equipment drift pages, measurement_uncertainty_evaluation.dita (EMPTY), leak_uncertainty.dita (EMPTY), accreditation_scope.dita (CMC "TBD")

Findings: Uncertainty identification for Molbloc-L technology is well-developed. The uncertainties_of_molbloc_l.dita identifies 9 contributions (L1-L9) with probability distributions and sensitivity coefficients. The molbloc_l_uncertainty_analysis.dita provides GUM-referenced methodology. Equipment drift pages provide extensive calibration data feeding uncertainty evaluation. However, no Molbloc-S uncertainty analysis exists (7.6.1 — covers only half the scope). The measurement_uncertainty_evaluation.dita procedure is an empty stub. No complete combined uncertainty budget exists for any calibration. All CMC values in accreditation_scope.dita remain "TBD" (7.6.2). The leak uncertainty component is empty. ABW-014 (nicht kritisch): No complete uncertainty budget. No Molbloc-S analysis. All CMC "TBD". Leak uncertainty unquantified. FLAGGED FOR HUMAN REVIEW: 7.6.2 may warrant critical rating given direct accreditation impact.

Lfd.-Nr. / ON

Description / Date

62. ON

Documentation/topics/laboratory_procedures_workflows/uncertainties_of_molbloc_l.dita — 9 components (L1-L9), distributions, sensitivities (2026-02-22)

63. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_uncertainty_analysis.dita — GUM-referenced methodology (2026-02-22)

64. ON

Equipment drift pages with uncertainty bands (2026-02-23)

65. ED

Documentation/topics/laboratory_procedures_workflows/measurement_uncertainty_evaluation.dita — EMPTY stub (2025-03-10)

66. ED

Documentation/topics/laboratory_procedures_workflows/leak_uncertainty.dita — EMPTY (2025-03-10)

67. ON

Documentation/topics/quality_compliance_management/accreditation_scope.dita — CMC tables all "TBD" (2025-03-10)

1. Verified Molbloc-L uncertainty components — 9 contributions identified (L1-L9)
2. Checked for Molbloc-S uncertainty analysis — none found
3. Checked for combined uncertainty budget — none exists
4. Checked CMC values in accreditation_scope.dita — all "TBD"

7.7 Ensuring Validity of Results

Norm: ISO/IEC 17025:2017, clause 7.7 (7.7.1–7.7.3). Sub-clauses cover: internal monitoring procedure (7.7.1 a–k), interlaboratory comparisons/proficiency testing (7.7.2), data analysis and corrective action (7.7.3).

QMS reference documents: equipment_monitoring_drift_analysis.dita, per-device drift pages, ensuring_validity_of_results.dita (EMPTY), nonconforming_work_log.dita (EMPTY)

Findings: Result validity monitoring infrastructure is impressive. The equipment_monitoring_drift_analysis.dita (~500 lines, created 2026-02-22) implements Dev/Spec ratios, En numbers, Internal Consistency Diagrams (ICD), and trend analysis across 13+ devices with multi-year calibration histories. However, ensuring_validity_of_results.dita is empty (7.7.1). Zero ILC/PT participation or planning exists (7.7.2). No formal action procedures exist for when monitoring data shows out-of-criteria results (7.7.3), and the nonconforming_work_log.dita is empty. ABW-015 (kritisch): Zero ILC/PT participation (7.7.2). ensuring_validity_of_results.dita empty. No action procedures for out-of-criteria results. Detection infrastructure works, but escalation and response pathway completely absent.

Lfd.-Nr. / ON

Description / Date

68. ON

Documentation/topics/equipment_management/equipment_monitoring_drift_analysis.dita — ~500 lines, Dev/Spec, En, ICD, trend (2026-02-22)

69. ON

Per-device drift pages — 13+ devices with multi-year histories (2026-02-23)

70. ED

Documentation/topics/laboratory_procedures_workflows/ensuring_validity_of_results.dita — EMPTY (2025-03-10)

71. ED

docs/interlaboratory-pairwise-comparisons-en-number.md — educational reference only, no actual ILC/PT data (2026-02-22)

72. ED

Documentation/topics/complaints_nonconforming_work/nonconforming_work_log.dita — EMPTY (2025-03-10)

1. Verified drift analysis methodology — comprehensive multi-metric approach
2. Checked ILC/PT participation — zero participation or planning
3. Checked ensuring_validity_of_results.dita — EMPTY
4. Checked escalation pathway — nonconforming_work_log.dita EMPTY

7.8 Reporting of Results

Norm: ISO/IEC 17025:2017, clause 7.8 (7.8.1–7.8.8). Sub-clauses cover: general reporting (7.8.1), common requirements (7.8.2), test reports (7.8.3), calibration certificates (7.8.4), sampling reports (7.8.5), conformity statements (7.8.6), opinions and interpretations (7.8.7), amendments (7.8.8).

QMS reference documents: authorization_competency_matrix.dita, molbloc_l_series_mass_flow_calibration.dita, Resources/Certificates Requirements/Examples/, ILAC_P14

Findings: Reporting infrastructure has some positive elements: authorization for "Review and Sign Calibration Certificates" exists. The calibration procedure describes report generation with digital signing. Reference certificates from DAkkS, COFRAC, and US labs are available. ILAC_P14 is available. However, no calibration certificate template exists anywhere in the repository — the 16 mandatory elements per ILAC P14 cannot be verified (7.8.2.1). No traceability statement template exists (7.8.4.1). No amendment procedure for issued certificates (7.8.8). Decision rules not documented (7.8.6.1). Certificate production chain entirely undocumented. ABW-016 (kritisch): No calibration certificate template. No traceability statement. No amendment procedure. No decision rule documentation.

Lfd.-Nr. / ON

Description / Date

73. ON

Documentation/topics/organizational_structure_personnel_management/authorization_competency_matrix.dita — "Review and Sign Calibration Certificates" (2025-03-10)

74. ON

Documentation/topics/laboratory_procedures_workflows/molbloc_l_series_mass_flow_calibration.dita — report generation, digital signing (2026-02-22)

75. ON

Resources/Certificates Requirements/Examples/ — DAkkS, COFRAC, US reference certificates (N/A reference)

76. ON

Resources/Norm/ILAC_P14_09_2020-1.pdf — available (N/A reference)

77. ED

No lab-own certificate template found (N/A)

78. ED

No traceability statement template found (N/A)

1. Found authorization for certificate review and signing
2. Found reference certificates from DAkkS, COFRAC, US labs
3. Searched for lab certificate template — none found
4. Searched for traceability statement template — none found
5. Checked for amendment procedure — none found

7.9 Complaints

Norm: ISO/IEC 17025:2017, clause 7.9 (7.9.1–7.9.7). Sub-clauses cover: documented procedure (7.9.1), availability and responsibility (7.9.2), procedure elements (7.9.3), information gathering (7.9.4), acknowledgment and reporting (7.9.5), independent review (7.9.6), formal closure (7.9.7).

QMS reference documents: complaint_handling_resolution_tracking.dita (EMPTY), Lab Manager role description, Senior Technician role description

Findings: The complaint handling framework is completely absent. The complaint_handling_resolution_tracking.dita is an empty shell. All seven sub-clauses (7.9.1 through 7.9.7) are unmet: no documented procedure, no availability to interested parties, no process elements, no verification procedure, no communication protocol, no independence mechanism, and no formal closure notification. The only related evidence is found in role descriptions mentioning complaint handling — indicating awareness but no implemented process. ABW-017 (kritisch): Complete absence of complaint handling procedure. All 7 sub-clauses unmet. No procedure, no records, no independence mechanism.

Lfd.-Nr. / ON

Description / Date

79. ED

Documentation/topics/complaints_nonconforming_work/complaint_handling_resolution_tracking.dita — EMPTY (2025-03-10)

80. ED

Lab Manager role description — mentions "Handle complex customer complaints" (awareness only) (2025-03-10)

81. ED

Senior Technician role description — mentions "Participate in complaint investigations" (awareness only) (2025-03-10)

1. Checked complaint_handling_resolution_tracking.dita — EMPTY
2. Found awareness in role descriptions but no implemented process
3. Verified all 7 sub-clauses are unmet

7.10 Nonconforming Work

Norm: ISO/IEC 17025:2017, clause 7.10 (7.10.1–7.10.3). Sub-clauses cover: procedure with responsibilities and risk-based actions (7.10.1 a–f), records (7.10.2), escalation to corrective action (7.10.3).

QMS reference documents: nonconforming_work_log.dita (EMPTY), corrective_preventive_actions_capa.dita (EMPTY), root_cause_analysis_documentation.dita (EMPTY), incident_reports_follow_ups.dita (EMPTY), defective_equipment_non_conformance_reporting.dita (EMPTY), equipment_monitoring_drift_analysis.dita (cross-references 7.10)

Findings: The nonconforming work framework is completely absent. All supporting topics are empty shells. None of the 6 required elements of 7.10.1 are addressed (responsibilities, risk-based actions, impact assessment, acceptance decisions, customer notification, resumption authorization). No NC work records exist (7.10.2). No link to corrective action exists (7.10.3). The equipment_monitoring_drift_analysis.dita cross-references clause 7.10, indicating awareness, but this is a reference only. ABW-018 (kritisch): No nonconforming work procedure. Zero of 6 required elements addressed. All supporting topics empty. No records, no corrective action link.

Lfd.-Nr. / ON

Description / Date

82. ED

Documentation/topics/complaints_nonconforming_work/nonconforming_work_log.dita — EMPTY (2025-03-10)

83. ED

Documentation/topics/continuous_improvement_change_control/corrective_preventive_actions_capa.dita — EMPTY (2025-03-10)

84. ED

Documentation/topics/continuous_improvement_change_control/root_cause_analysis_documentation.dita — EMPTY (2025-03-10)

85. ED

Documentation/topics/continuous_improvement_change_control/incident_reports_follow_ups.dita — EMPTY (2025-03-10)

86. ED

Documentation/topics/equipment_management/defective_equipment_non_conformance_reporting.dita — EMPTY (2025-03-10)

87. ON

Documentation/topics/equipment_management/equipment_monitoring_drift_analysis.dita (lines 478-486) — cross-references 7.10 (awareness only) (2026-02-22)

1. Checked all NC-related topics — all EMPTY
2. Found cross-reference to 7.10 in drift analysis — awareness only
3. Verified zero of 6 required elements addressed

7.11 Control of Data & Information Management

Norm: ISO/IEC 17025:2017, clause 7.11 (7.11.1–7.11.6). Sub-clauses cover: data access (7.11.1), system validation (7.11.2), protection and integrity (7.11.3 a–e), external systems (7.11.4), documentation accessibility (7.11.5), calculation checks (7.11.6).

QMS reference documents: document_control_change_management.dita, .gitlab-ci.yml, test_layer3_drift.py, compute.py, interpret.py, schema.py, incident_reports_follow_ups.dita (EMPTY), CLAUDE.md

Findings: Data management infrastructure is technically strong. Git+DITA+CI/CD+WebHelp+Entra ID provides a comprehensive platform. The src/equipctl/ tooling includes Pydantic validation and automated calculations. Independent verification tests exist. COTS software is used in standard configurations (7.11.3(c)). However, technical records storage outside the DITA pipeline is not documented (7.11.1). No formal LIMS validation exists — the equipctl test suite (22 test files) exists but is not in the CI/CD pipeline and is not documented as formal software validation (7.11.2). No system failure recording procedure (7.11.3(e)). Three external providers (Unstructured.io for PDF processing, Anthropic Claude API for LLM-based certificate extraction, Cloudflare Pages for hosting) process laboratory data with zero evaluation (7.11.4). ABW-019 (kritisch): No formal software validation for LIMS/equipctl. Three external data processing providers with zero evaluation. No system failure recording. LLM-based certificate extraction undocumented and unvalidated.

Lfd.-Nr. / ON

Description / Date

88. ON

Documentation/topics/quality_compliance_management/document_control_change_management.dita — Entra ID auth, single point of use (2025-03-10)

89. ON

.gitlab-ci.yml — CI/CD pipeline (no test stage) (2026-02-19)

90. ON

tests/audit/test_layer3_drift.py — independent drift reimplementation (2026-02-23)

91. ON

src/equipctl/compute.py — automated calculations (En, drift, specs) (2026-02-23)

92. ON

src/equipctl/interpret.py — LLM-based certificate extraction (2026-02-23)

93. ON

src/equipctl/schema.py — Pydantic validation (2026-02-23)

94. ED

Documentation/topics/continuous_improvement_change_control/incident_reports_follow_ups.dita — EMPTY (2025-03-10)

95. ON

CLAUDE.md — comprehensive system description (not published in QMS) (2026-02-23)

1. Verified Git+DITA+CI/CD infrastructure — technically strong
2. Found independent test suite — 22 test files, not in CI/CD pipeline
3. Identified 3 external data processing providers — zero evaluation
4. Checked incident_reports_follow_ups.dita — EMPTY

8.1 Options (Management System)

Norm: ISO/IEC 17025:2017, clause 8.1 (8.1.1–8.1.3). Sub-clauses cover: general management system requirement (8.1.1), Option A minimum elements (8.1.2), Option B ISO 9001 equivalence (8.1.3).

QMS reference documents: project.ditamap, WebHelp published site, quality_objectives.dita (EMPTY)

Findings: Option A has been selected for the management system. The project.ditamap (~500 lines) comprehensively links all QMS components (8.2.4). WebHelp published via Entra ID ensures all personnel have access (8.2.5). However, the quality_objectives.dita is empty (8.1.1). Management objectives align with lab goals in principle but no documented objectives exist (8.1.2). ABW-020 (nicht kritisch): Management system established in structure (Option A) but quality objectives not documented.

Lfd.-Nr. / ON

Description / Date

96. ON

Documentation/project.ditamap — ~500 lines, comprehensive QMS linking (2026-02-23)

97. ON

WebHelp published site with Entra ID access (2026-02-23)

98. ED

quality_objectives.dita — EMPTY or missing (2025-03-10)

1. Verified project.ditamap — comprehensive QMS structure
2. Verified WebHelp with Entra ID access — personnel can access QMS
3. Checked quality_objectives.dita — EMPTY

8.2 Management System Documentation

Norm: ISO/IEC 17025:2017, clause 8.2 (8.2.1–8.2.5). Sub-clauses cover: policies and objectives (8.2.1), competence/impartiality/consistency (8.2.2), management commitment (8.2.3), documentation integration (8.2.4), personnel access (8.2.5).

QMS reference documents: quality_policy.dita (EMPTY), project.ditamap, WebHelp + Entra ID

Findings: The management system documentation has strong infrastructure but critical content gaps. The project.ditamap is comprehensive (8.2.4). Personnel access via WebHelp+Entra ID is effective (8.2.5). However, quality_policy.dita is empty — no quality policy exists (8.2.1). Consequently, no policy commits to competence, impartiality, or consistent operation (8.2.2). Management commitment is not formally documented (8.2.3). Document control excellence creates a false sense of QMS maturity — the infrastructure controls primarily empty documents. ABW-021 (kritisch): No quality policy exists. No commitment to competence, impartiality, or consistent operation.

Lfd.-Nr. / ON

Description / Date

99. ED

Documentation/topics/quality_compliance_management/quality_policy.dita — EMPTY (2025-03-10)

100. ON

Documentation/project.ditamap — comprehensive QMS structure (2026-02-23)

101. ON

WebHelp + Entra ID access for all personnel (2026-02-23)

1. Checked quality_policy.dita — EMPTY
2. Verified project.ditamap — comprehensive but controls empty documents
3. Verified WebHelp access — functional but content is missing

8.3 Control of Management System Documents

Norm: ISO/IEC 17025:2017, clause 8.3 (8.3.1–8.3.2). Sub-clauses cover: document control scope (8.3.1), approval/review/change/distribution/identification/obsolescence controls (8.3.2 a–f).

QMS reference documents: .githooks/, .commitlintrc.yml, GitVersion.yml, .gitlab-ci.yml, document_control_change_management.dita, Git commit history

Findings: Document control is the strongest area of the QMS. The Git-based workflow with GitVersion provides automated semantic versioning. Conventional commits with QMS-specific types ensure categorized change tracking. The pre-commit hook automatically updates DITA revision dates. CI/CD ensures only approved content is published. Previous versions are permanently accessible through Git history. All six requirements of 8.3.2 are met: (a) Approval via Git commit + CI pipeline; (b) Review/update via DITA revised dates, commit history; (c) Change identification via Git diff, conventional commits; (d) Distribution via WebHelp + Entra ID; (e) Identification via DITA topic IDs, file paths, GitVersion; (f) Obsolete document control via Git history.

Lfd.-Nr. / ON

Description / Date

102. ON

.githooks/ — pre-commit hooks for date management (2026-02-23)

103. ON

.commitlintrc.yml — commit message enforcement (2026-02-19)

104. ON

GitVersion.yml — semantic versioning configuration (2025-03-10)

105. ON

.gitlab-ci.yml — CI/CD pipeline for controlled publishing (2026-02-19)

106. ON

Documentation/topics/quality_compliance_management/document_control_change_management.dita (2025-03-10)

107. ON

Git commit history — controlled changes with conventional commit types (2026-02-23)

1. Verified Git-based version control — full history and traceability
2. Verified conventional commits — QMS-specific types enforced
3. Verified pre-commit hooks — revision dates auto-updated
4. Verified CI/CD publishing — controlled single point of access
5. Verified all 6 requirements of 8.3.2 — all met

8.4 Control of Records

Norm: ISO/IEC 17025:2017, clause 8.4 (8.4.1–8.4.2). Sub-clauses cover: legible records (8.4.1), controls for identification/storage/protection/backup/retrieval/retention/disposal (8.4.2).

QMS reference documents: Git repository

Findings: Records infrastructure is sound for QMS documents through Git. However, many record categories required by ISO 17025 are absent: no CAPA records, no audit records, no management review records, no complaint records, no NC work records (8.4.1). No records management procedure exists with defined retention times, disposal rules, or backup procedures (8.4.2). ABW-022 (nicht kritisch): Many required record categories absent. No records management procedure with retention times and disposal rules.

Lfd.-Nr. / ON

Description / Date

108. ON

Git repository — backup and retention for QMS documents (2026-02-23)

109. ED

No records management procedure found (N/A)

1. Verified Git repository provides backup for QMS documents
2. Checked for records management procedure — none found
3. Identified missing record categories: CAPA, audits, reviews, complaints, NC

8.5 Actions to Address Risks & Opportunities

Norm: ISO/IEC 17025:2017, clause 8.5 (8.5.1–8.5.3). Sub-clauses cover: risk/opportunity consideration (8.5.1 a–d), action planning and integration (8.5.2), proportionality (8.5.3).

QMS reference documents: risk_management_preventive_actions.dita (EMPTY)

Findings: Risk management is structurally absent. The risk_management_preventive_actions.dita is an empty shell. No risk register exists (8.5.1). No planned actions address risks/opportunities (8.5.2) and no proportionality evaluation has been conducted (8.5.3). The cascading effect from 8.5.1 means that the pattern is systemic. ABW-023 (nicht kritisch): risk_management_preventive_actions.dita is empty. No risk register, no planned actions, no proportionality evaluation.

Lfd.-Nr. / ON

Description / Date

110. ED

Documentation/topics/continuous_improvement_change_control/risk_management_preventive_actions.dita — EMPTY (2025-03-10)

1. Checked risk_management_preventive_actions.dita — EMPTY
2. Searched for risk register — none found

8.6 Improvement

Norm: ISO/IEC 17025:2017, clause 8.6 (8.6.1–8.6.2). Sub-clauses cover: improvement identification and implementation (8.6.1), customer feedback (8.6.2).

QMS reference documents: continuous_improvement_change_control/ — all 5 topics EMPTY

Findings: All 5 improvement-related topics in the continuous_improvement_change_control directory are empty shells. No opportunities for improvement have been formally identified, selected, or implemented (8.6.1). No customer feedback mechanism exists (8.6.2). ABW-024 (kritisch): No improvement process documented. All continuous improvement topics empty. No customer feedback mechanism.

Lfd.-Nr. / ON

Description / Date

111. ED

Documentation/topics/continuous_improvement_change_control/ — all 5 topics EMPTY (2025-03-10)

1. Checked all 5 continuous improvement topics — all EMPTY
2. Searched for customer feedback mechanism — none found

8.7 Corrective Actions

Norm: ISO/IEC 17025:2017, clause 8.7 (8.7.1–8.7.3). Sub-clauses cover: response/root cause analysis/action (8.7.1 a–f), proportionality (8.7.2), records (8.7.3).

QMS reference documents: corrective_preventive_actions_capa.dita (EMPTY), root_cause_analysis_documentation.dita (EMPTY), Resources/Application/ (DAkkS CAPA template available)

Findings: The corrective action framework is completely absent. corrective_preventive_actions_capa.dita is empty (8.7.1). No CAPA procedure exists covering the 6 required elements. No corrective action records exist (8.7.3). The DAkkS CAPA template is available in Resources/Application/ but has not been integrated into the QMS. This gap breaks the link from nonconforming work (7.10.3), complaint handling (7.9), and defective equipment (6.4.9). ABW-025 (kritisch): No CAPA procedure. No root cause analysis capability. No corrective action records. DAkkS template available but not integrated.

Lfd.-Nr. / ON

Description / Date

112. ED

Documentation/topics/continuous_improvement_change_control/corrective_preventive_actions_capa.dita — EMPTY (2025-03-10)

113. ED

Documentation/topics/continuous_improvement_change_control/root_cause_analysis_documentation.dita — EMPTY (2025-03-10)

114. ON

Resources/Application/ — DAkkS CAPA template available but not integrated (N/A reference)

1. Checked corrective_preventive_actions_capa.dita — EMPTY
2. Checked root_cause_analysis_documentation.dita — EMPTY
3. Found DAkkS CAPA template in Resources/Application/ — not integrated

8.8 Internal Audits

Norm: ISO/IEC 17025:2017, clause 8.8 (8.8.1–8.8.2). Sub-clauses cover: audit objectives (8.8.1 a–b), audit program planning/criteria/reporting/corrective actions/records (8.8.2 a–e).

QMS reference documents: internal_external_audits.dita (EMPTY), this audit report

Findings: The internal audit framework is absent from the QMS. internal_external_audits.dita is empty (8.8.1). No audit programme exists. All five requirements of 8.8.2 are unmet: no frequency/methods/responsibilities (a), no criteria/scope per audit (b), no reporting to management (c), no corrections/corrective actions (d), no records (e). This current audit report represents the first systematic internal audit of the QMS. ABW-026 (kritisch): internal_external_audits.dita is empty. No audit programme, no schedule, no defined criteria. All 5 requirements of 8.8.2 unmet.

Lfd.-Nr. / ON

Description / Date

115. ED

Documentation/topics/quality_compliance_management/internal_external_audits.dita — EMPTY (2025-03-10)

116. ON

This audit report (docs/audit/2026-02-23-internal-audit.md) — first internal audit (2026-02-23)

1. Checked internal_external_audits.dita — EMPTY
2. Verified all 5 requirements of 8.8.2 are unmet
3. This report is the first internal audit record

8.9 Management Reviews

Norm: ISO/IEC 17025:2017, clause 8.9 (8.9.1–8.9.3). Sub-clauses cover: planned reviews for suitability and effectiveness (8.9.1), review inputs (8.9.2 a–o), review outputs (8.9.3 a–d).

QMS reference documents: management_reviews.dita (EMPTY)

Findings: The management review framework is completely absent. management_reviews.dita is empty (8.9.1). No management review has been conducted. All 15 input categories required by 8.9.2 are absent. No management review outputs exist (8.9.3). This is the capstone closure mechanism of the management system and its absence indicates the PDCA cycle has no "Check" or "Act" phase. ABW-027 (kritisch): management_reviews.dita is empty. No management review conducted. All 15 input categories absent. No outputs documented.

Lfd.-Nr. / ON

Description / Date

117. ED

Documentation/topics/quality_compliance_management/management_reviews.dita — EMPTY (2025-03-10)

1. Checked management_reviews.dita — EMPTY
2. Verified no management review has been conducted
3. Verified all 15 input categories absent

Additional Aspects

References: EA 3/01, ILAC P8, DAkkS SD-DAkkS-002.

Accreditation symbol usage (EA 3/01, ILAC P8): Not applicable for initial accreditation (Erstakkreditierung). To be assessed after accreditation is granted. Phase 2 supplemental assessment identified preparatory concerns: no certificate template exists, no policy on accredited vs. non-accredited certificates, no mechanism to control accreditation symbol appearance, no mechanism for in-scope/out-of-scope marking on partially accredited certificates, risk of ISO 9001 reference on certificates (prohibited by EA-3/01 once accredited). These are pre-accreditation planning items, not current deviations.

Scope flexibility: Cannot be assessed as all CMC values remain "TBD" and no DKD-R guideline references exist in the QMS.

Previous corrective actions fulfilled: Not applicable — this is the first internal audit (Erstbegutachtung). No previous deviations or corrective actions to assess.

Lfd.-Nr. / ON

Description / Date

--

First audit — no previous corrective actions to verify

Cross-Cutting Findings

The following findings span multiple clauses and represent systemic patterns rather than isolated clause-level issues.

CCF-001: Complete Absence of the Reactive Quality Cycle (affects: 6.4.9, 7.9.1-7, 7.10.1-3, 7.7.3, 7.11.3(e), 8.5, 8.7.1-3, 8.9)

Every topic file in the chain from detection to correction is empty: defective equipment reporting (6.4.9), complaint handling (7.9), nonconforming work (7.10), corrective actions (8.7), and management review (8.9). The drift monitoring infrastructure can detect anomalies but has no formal escalation pathway. Personnel authorizations for complaint/NC/CAPA activities are absent from the authorization matrix. The entire "Plan-Do-Check-Act" cycle lacks the "Check" and "Act" phases.

Systemic root cause: The QMS development prioritized the "Do" phase (technical procedures, equipment management, measurement capability) while the quality management superstructure (corrective loops, reviews, improvement) was deferred. All relevant topic files were created as shells on 2024-03-08 or 2025-03-10 but never authored.

Recommendation: Develop the complete reactive quality cycle as an integrated package: (1) complaint handling procedure per 7.9.1-7, (2) nonconforming work procedure per 7.10.1 with all 6 required elements, (3) CAPA procedure per 8.7.1 with root cause analysis template, (4) defective equipment procedure per 6.4.9 linking to 7.10, (5) system failure procedure for 7.11.3(e), (6) management review procedure per 8.9. Add complaint/NC/CAPA authorizations to the authorization matrix.

CCF-002: Supplier-Traceability Void (affects: 6.4.6, 6.5.1-2, 6.6.1-3, 7.11.4)

The laboratory uses accredited calibration providers (Europascal GmbH DAkkS D-K-15055-01-00, Fluke Calibration Phoenix) and data processing providers (Unstructured.io, Anthropic Claude API, Cloudflare Pages), but all five supplier management files have been empty shells for 23 months since creation on 2024-03-08. No evaluation criteria, no provider records, no requirements communication. Provider accreditation numbers are captured in PDF certificates but not in structured DITA metadata.

Systemic root cause: External provider management was recognized as a need (file stubs created) but never prioritized. The laboratory relies on the implicit trust of using DAkkS-accredited providers without formalizing the evaluation.

Recommendation: (1) Create approved supplier list with at minimum Europascal, Fluke, Cloudflare, Anthropic, and Unstructured.io. (2) Define evaluation criteria. (3) Perform initial evaluation and document results. (4) Add accreditation numbers to structured equipment metadata. (5) Define re-evaluation frequency. (6) Assess data processing providers for confidentiality and data integrity.

CCF-003: Environmental Monitoring Instruments Outside Metrological Control (affects: 6.3.2-3, 6.4.1, 7.4.4, 7.6.1, 7.7.1)

The laboratory uses environmental monitoring instruments (temperature/humidity sensors for the dashboard system) that are not included in the equipment management system and therefore not calibrated, not traceably maintained, and not subject to drift analysis. These instruments support validity decisions and storage condition claims.

Systemic root cause: Environmental monitoring was implemented as a practical operational tool without recognizing its metrological significance.

Recommendation: (1) Add environmental monitoring instruments to the equipment master list. (2) Establish calibration programme. (3) Document environmental requirements beyond temperature. (4) Create formal monitoring records. (5) Include environmental instrument uncertainties in the measurement uncertainty budget.

CCF-004: Uncertainty-to-CMC Pipeline Broken (affects: 5.3, 7.2.1.1, 7.2.2.3, 7.6.1-2, 7.8.4.1)

No complete uncertainty budget exists for any calibration. The Molbloc-L uncertainty analysis identifies 9 components (L1-L9) but no combined budget is calculated. No Molbloc-S uncertainty analysis exists. All 16 CMC values in accreditation_scope.dita are "TBD". The leak uncertainty component is unquantified. Without finalized CMC values, the accreditation scope cannot be defined.

Systemic root cause: Uncertainty analysis development focused on component identification and methodology but stopped before final integration. Molbloc-S technology was not addressed at all.

Recommendation: (1) Complete Molbloc-L combined uncertainty budget. (2) Develop Molbloc-S uncertainty analysis. (3) Quantify leak uncertainty. (4) Calculate CMC values for all 16 measurement points. (5) Update accreditation_scope.dita. (6) Create measurement_uncertainty_evaluation.dita as umbrella procedure.

CCF-005: Certificate Production Chain Undocumented (affects: 7.1.3, 7.8.1.2, 7.8.2.1, 7.8.4.1, 7.8.6.1-2, 7.8.8, 8.3)

No calibration certificate template exists in the repository. The 16 mandatory elements per 7.8.2.1/ILAC P14 cannot be verified. No traceability statement template. Conformity assessment occurs in practice but no documented decision rules exist. No amendment procedure for issued certificates. No EA 3/01 or ILAC P8 reference documents in repository.

Systemic root cause: The certificate generation process exists in practice (Compass Software, digital signing) but was never formalized as a controlled QMS document.

Recommendation: (1) Design DAkkS-compliant calibration certificate template with all 16 mandatory elements. (2) Create traceability statement template. (3) Document decision rules per ILAC G8. (4) Create certificate amendment procedure. (5) Add EA 3/01 and ILAC P8 to Resources/Norm/.

CCF-006: Foundational Policy Documents Missing (affects: 4.1.1-5, 4.2.1-4, 8.2.1-3, 8.5.1-3)

Three foundational policy documents are absent: impartiality policy (placeholder text only), confidentiality policy (empty), and quality policy (empty). These are the statements of organizational commitment from which all other QMS requirements flow.

Systemic root cause: Policy development was deferred in favor of technical documentation. The existing ISO 9001 system may cover some requirements but is not integrated.

Recommendation: (1) Author quality policy per 8.2.2. (2) Author impartiality commitment with structural risk assessment. (3) Author confidentiality policy with NDA templates. (4) Author risk management framework per 8.5. (5) Define measurable quality objectives. (6) Obtain top management approval and communicate to all personnel.

CCF-007: Technical Records Policy Absent (affects: 7.5.1-2, 7.8.2.1, 7.11.1, 7.11.3(b), 8.4.2)

No documented procedure exists for technical records management. Git/DITA handles QMS documents well, but raw measurement data, calibration records from Compass Software, and certificate data files exist outside this pipeline. No retention policy, no backup procedure for non-Git data.

Systemic root cause: The QMS was built around DITA/Git for documentation but did not address the separate data pipeline for measurement records.

Recommendation: (1) Document the complete technical records lifecycle. (2) Define record format requirements. (3) Establish backup procedure for non-Git data. (4) Define retention times per DAkkS requirements.

CCF-008: Software Validation Gap (affects: 6.4.6, 6.4.10, 7.6.1-2, 7.11.2, 7.11.6)

The equipctl software system performs critical functions: automated uncertainty calculations, drift analysis, En number computation, and specification compliance assessment. An independent test suite exists (22 test files) but is not in the CI/CD pipeline and is not documented as formal validation. The LLM-based certificate extraction (interpret.py) is entirely undocumented.

Systemic root cause: Development prioritized functional correctness over formal validation documentation.

Recommendation: (1) Add test suite to CI/CD pipeline. (2) Document as formal software validation per 7.11.2. (3) Document LLM-based certificate extraction with validation evidence. (4) Establish change control procedure for equipctl. (5) Document validation scope.

Show-Me Chains

Each chain connects a compliance claim to its supporting evidence. Broken links indicate documentation gaps a DAkkS assessor would flag.

Chain 1: Measurement Result Traceability

Claim: "Our calibration results are metrologically traceable to SI"

1. SI unit definition and NMI realization — Status: COMPLETE — mass flow traceable through gravimetric primary standards (L7)
2. Accredited calibration laboratory certificates — Status: INCOMPLETE — Europascal and Fluke certificates on file, but accreditation numbers not in structured metadata; providers not formally evaluated per 6.6
3. Reference standard calibration certificates — Status: COMPLETE — 100+ detail pages with data and uncertainties
4. Uncertainty contribution from calibration data — Status: INCOMPLETE — L7 component identified for Molbloc-L but no combined budget; no Molbloc-S analysis
5. Traceability statement on issued certificates — Status: MISSING — no certificate template exists; no traceability statement template

Chain 2: Personnel Competence for Calibration Activities

Claim: "Personnel performing calibrations are competent"

1. Competence requirements defined per function (6.2.2) — Status: INCOMPLETE — 7 role descriptions exist but competence criteria partially defined
2. Training records demonstrating qualification (6.2.5) — Status: INCOMPLETE — minimal training records (1 entry per employee)
3. Authorization records for specific activities (6.2.6) — Status: INCOMPLETE — authorization matrix names personnel but Lab Manager self-authorizes; 0 authorizations for complaint/NC/CAPA
4. Ongoing competence monitoring evidence (6.2.5 f) — Status: MISSING — no competence monitoring procedure or records

Chain 3: Equipment Fitness for Purpose

Claim: "Equipment is suitable for achieving required measurement accuracy"

1. Equipment specifications documented (6.4.5) — Status: COMPLETE — device_config.yaml files with programmatic specifications
2. Acceptance/verification before use (6.4.4) — Status: INCOMPLETE — no verification checklists or records
3. Calibration programme established and maintained (6.4.6, 6.4.7) — Status: INCOMPLETE — strong calibration records but Molbox SN880 ~7 years overdue
4. Drift analysis shows stability (6.4.10) — Status: COMPLETE — comprehensive Dev/Spec, En, ICD, trend across 13+ devices
5. Intermediate checks performed (6.4.10) — Status: INCOMPLETE — drift analysis is retrospective, not proactive intermediate checks
6. Defective equipment procedure (6.4.9) — Status: MISSING — defective_equipment_non_conformance_reporting.dita is EMPTY

Chain 4: Document Control Integrity

Claim: "All QMS documents are controlled and current"

1. Version control system with full history — Status: COMPLETE — Git/GitLab with conventional commits
2. Automated versioning (GitVersion + conventional commits) — Status: COMPLETE — GitVersion.yml + .commitlintrc.yml
3. Pre-commit hooks enforce metadata consistency — Status: COMPLETE — revision dates auto-updated
4. Published output matches source of truth — Status: COMPLETE — CI/CD pipeline builds from main branch
5. Obsolete document prevention — Status: COMPLETE — Git history preserves but does not surface old versions
6. Resources/ directory under document control — Status: INCOMPLETE — JSON/YAML data files in Git but not in DITA pipeline, not referenced by ditamap

Chain 5: Result Validity

Claim: "Our measurement results are valid and monitored"

1. Monitoring plan documented (7.7.1) — Status: INCOMPLETE — ensuring_validity_of_results.dita is EMPTY; drift analysis documented but no umbrella validity plan
2. Control techniques implemented (intermediate checks, control charts) — Status: INCOMPLETE — drift analysis with Dev/Spec, En, ICD implemented; no control charts; no intermediate check procedure
3. Proficiency testing / interlaboratory comparisons (7.7.2) — Status: MISSING — zero ILC/PT participation or planning
4. Corrective action triggers from invalid results (7.7.3) — Status: MISSING — drift monitoring detects issues but 7.10, 6.4.9, 8.7 all empty; no formal escalation pathway

Git Maturity Indicators

Analysis of commit history as a proxy for documentation maturity. Active sections show ongoing management; dormant sections may need attention.

Activity levels: Active (5+ commits in 3 months) | Moderate (2-4 commits in 3 months) | Low (1 commit in 3 months or last within 6 months) | Dormant (no commits in 6 months).

Observations: The QMS shows a stark two-speed development pattern. Technical content (equipment management, laboratory procedures, equipctl tooling, CI/CD) is highly active with 56-97 commits and very recent updates. Quality management content (complaints, continuous improvement, supplier management, quality compliance) is entirely dormant with last commits dating to 2025-03-10 — nearly 12 months ago. The organization/personnel section (10 commits, last 2025-03-10) was established early and never updated. The complaints and supplier management sections have only 2 commits each — likely the initial file creation and one metadata update. The uncertainty budgets directory has only 1 commit, indicating this critical accreditation artifact has not been actively developed. The equipment tooling (src/equipctl/) has 97 commits, the most active area. All dormant sections were last committed on the same date (2025-03-10), suggesting a bulk initial creation of QMS topic shells that were not subsequently developed.

Bias Detection Flags

AI auditors have different bias patterns than human auditors. This section transparently identifies areas where the assessment may over-rate or under-rate compliance, and where human judgment is essential.

Areas where this AI audit may OVER-RATE compliance

Areas where this AI audit may UNDER-RATE compliance

Areas requiring mandatory human verification

Deviation Register

Overall Assessment (Gesamtbewertung)

Existing certifications

ISO 9001 certification (existing, 10+ years via Analyt MTC). The existing ISO 9001 system may address some management system requirements (particularly 8.x clauses) that appear absent from this repository-based QMS. The transition strategy is: ISO 9001 today, ISO 17025 integration next year, eventual single system.

Adequacy of personnel, equipment, and facilities

Personnel: The authorization matrix identifies named personnel for specific laboratory activities. Seven role descriptions cover key functions. Six employee records exist. However, training records are minimal, competence monitoring is absent, and self-authorization of the Lab Manager is not formally justified. The quality of the technical documentation demonstrates significant metrological expertise not reflected in formal competence records.

Equipment: This is the strongest area. The equipment master list covers 13 instruments with individual tracking pages spanning 10-16 years of calibration history. The programmatic equipment management system (equipctl) automates specification compliance, drift analysis, and uncertainty band calculations. The drift analysis methodology implements multiple statistical metrics (Dev/Spec, En, ICD, trend). Main concerns: Molbox SN880 status anomaly (7 years overdue), environmental monitoring instruments outside metrological control, empty defective equipment procedure.

Facilities: AI assessment is limited to documented evidence. The laboratory is described as climate-controlled with continuous monitoring, badge-controlled access, and defined temperature limits. Physical verification is required to confirm actual conditions.

Fulfillment of additional requirements

No DKD guidelines are explicitly referenced in the QMS. Scope flexibility (Category III) cannot be assessed as all CMC values remain "TBD" and no DKD-R guideline references exist. The DAkkS application documents are available in Resources/Application/ but have not been integrated into the active QMS.

Overall impression (strengths and weaknesses)

Strengths: Git-based document control (8.3) is the gold standard — fully automated versioning, enforced commit standards, CI/CD publishing, immutable history. Equipment management is exceptional — programmatic tracking, automated drift analysis with multiple statistical metrics, 10-16 year calibration histories. The calibration procedure for Molbloc-L technology is technically detailed with GUM-referenced uncertainty methodology. The DITA single-source publishing approach ensures web and PDF outputs are always in sync. Independent verification tests for critical calculations exist.

Weaknesses: The entire reactive quality cycle is absent: complaints, nonconforming work, corrective actions, management reviews — every topic file in this chain is empty. Foundational policies (impartiality, confidentiality, quality) do not exist. No calibration certificate template has been created. No ILC/PT participation or planning. All CMC values "TBD". External provider management completely empty for 23 months. Approximately 25 topic files exist as empty shells created in bulk on 2025-03-10.

The weaknesses are predominantly "not yet documented" rather than "fundamentally missing" — the empty topic shells indicate awareness of requirements and architectural planning. The corrective work is substantial but well-scoped.

Focus areas for subsequent audit

1. Reactive quality cycle (Priority 1): Build the complete chain from complaint/NC detection through corrective action to management review.

2. Certificate template and reporting (Priority 2): Design the calibration certificate before the DAkkS assessment.

3. Uncertainty budget completion (Priority 3): Finalize CMC values for both Molbloc-L and Molbloc-S.

4. Foundational policies (Priority 4): Author quality policy, impartiality policy, and confidentiality policy.

5. External provider evaluation (Priority 5): Populate the supplier management framework.

Systemic patterns: The QMS exhibits a consistent pattern of "infrastructure before content" development. The Git/DITA/CI/CD framework is mature and effective, but many topic files within it are empty shells. This is visible in both the git maturity data and the commit date pattern (bulk creation on 2025-03-10, no subsequent development of management topics).

Auditor Notes

Methodology

Three-phase pipeline: 16 parallel section audits (Phase 1), 9 cross-examinations (Phase 2, agents 7-8, 10-16), synthesis (Phase 3). All findings based on documentary evidence in the Git repository at commit 72c88d9.

Limitations

Phase 2 cross-examination data for agents 1-6 and 9 was lost due to session rollover; Phase 1 ratings used for those sections. AI cannot verify physical conditions, conduct personnel interviews, or access external systems (OSTicket, Compass Software, email, ISO 9001 QMS on Typo3).

Bias disclosure

This audit was conducted by an AI system (Claude Code, model claude-opus-4-6) operating autonomously. The AI may over-rate documentation-heavy areas (8.3 document control) and under-rate areas requiring physical verification (6.3 facilities, 6.2 personnel competence). Human review and physical verification are required before acting on these findings. See Bias Detection Flags section for detailed analysis.

Scope of assessment

Full ISO/IEC 17025:2017 QMS audit against DAkkS FO-B_K_17025-2018 checklist structure. QMS version 72c88d9 at commit 72c88d9.

Rating Scale (Bewertungsschluessel)