Unannounced audits are random sampling checks of the quality management systems by notified bodies with the aim of
- finding out if medical device manufacturers are working in conformity with their quality management system (e.g., according to ISO 13485),
- being able to identify deviations and react quickly, and
- uncovering fraud in a more reliable way.
Initial experience with unannounced audits is now available.
Update: Changes due to the MDR
History of unannounced audits
The emphasis on unannounced audits is a result of the breast implant scandal, after which the demand emerged to check medical device manufacturers not only in the context of the ISO 13485, but also to take unannounced and random samples to ensure that the requirements of the QM system are met in everyday work.
The MDR states:
“The position of notified bodies vis-à-vis manufacturers should be strengthened, including with regard to their right and duty to carry out unannounced on-site audits and to conduct physical or laboratory tests on devices to ensure continuous compliance by manufacturers after receipt of the original certification.”
However, it is not only manufacturers but also notified bodies that have to fear unannounced audits:
“The authority responsible for notified bodies may in addition to regular monitoring or on-site assessments conduct short-notice, unannounced or ‘for-cause’ reviews if needed to address a particular issue or to verify compliance.”
MDR: Regulatory requirements
Unannounced audits for vigilance notifications
The MDR has specified the requirements for unannounced audits. It requires notified bodies to decide whether to carry out an unannounced audit in the event of a vigilance notification (MDR, Annex VII, 4.10).
Unannounced audits at least every five years
Irrespective of this, the notified body must conduct unannounced audits of manufacturers with a complete QM system at least once every five years. The MDR stipulates this in Annex IX 3.4:
“The notified body shall randomly perform at least once every five years unannounced audits on the site of the manufacturer and, where appropriate, of the manufacturer’s suppliers and/or subcontractors, which may be combined with the periodic surveillance assessment referred to in Section 3.3. or be performed in addition to that surveillance assessment. The notified body shall establish a plan for such unannounced on-site audits but shall not disclose it to the manufacturer.
Within the context of such unannounced on-site audits, the notified body shall test an adequate sample of the devices produced or an adequate sample from the manufacturing process to verify that the manufactured device is in conformity with the technical documentation, with the exception of the devices referred to in the second subparagraph of Article 52(8). Prior to unannounced on-site audits, the notified body shall specify the relevant sampling criteria and testing procedure.”
The five years represent the minimum frequency. The notified bodies must consider the risk class and the type of devices when determining the intervals.
Conducting unannounced audits
What is checked in unannounced audits
An aggravation applies to unscheduled audits by notified bodies. The EU has published a recommendation on how these audits should be carried out. For example, the following is to be checked:
- Is there a precise intended use description?
- Is the product correctly classified?
- Are the general performance and safety requirements met?
- Are the hazards determined?
- Are risks minimized as much as possible?
- Is there a acceptable risk-benefit ratio?
A representative of a notified body reported that they would take care, especially in unannounced audits, to check whether the documentation is up to date and whether the products actually comply with the criteria. The first point concerns the development a lot more, the second the production.
This prioritization is understandable: after all, one wants to ensure that medical device manufacturers do not, in preparation for regular audits, bring everything to order and in doing so, not comply with the requirements of its own quality management system, or even deliberately violate them. With an unannounced audit the manufacturer has no chance, for example,
- to update or improve outdated or missing developing documents,
- to conceal missing product tests, or
- to falsify records of product testing.
How often do unannounced audits take place?
A representative of a notified body revealed to me what criteria they use to choose the manufacturer and to determine the frequency with which they audit individual manufacturers. There are three parameters:
- The risk that arises from the devices. In this case, the notified body orientates itself above all on the classifications in accordance with MDD (I, IIa, IIb, III).
- The problems that it has had with the device or product category in recent years. It is irrelevant whether this information originates from the manufacturers themselves or from other sources such as the BfArM reports.
- The extent to which manufacturers make themselves suspicious, especially in an audit. Auditors have a good feel whether or not manufacturers act honestly. They notice, even if they can not always prove it, whether the quality management system is practiced or if it’s just a Potemkin village.
The EU demands are more specific: The notified bodies should carry out unannounced audits at least once every three years. They should increase the frequency of unannounced audits when the devices pose a significant risk, when the type of devices in question are often not compliant or when certain information suggests that there is a non-conformity of the devices or from the manufacturer. The schedule of unannounced audits should be unpredictable. Basically, an unannounced audit should not take less than a day and should be carried out by at least two examiners.
Update: On June 13, 2016, the German authorities specified the frequency of unannounced audits more clearly in a notice (German):
- Non-event related unannounced audits:
- Active implantable devices and class III implantable medical devices and class IIb implantable devices: once every three years
- Class IIb non-implantable devices and class IIa implantable medical devices and IVDs: every five years
- Occasional unannounced audits: Decided by the notified bodies based on the occasion. The announcement does not make any statements on this.
Update: The MDR has set the minimum frequency of unannounced audits at five years.
If the thought of unannounced audits scares you, then contact us. With our team of auditors and risk management, quality management, usability, and software experts we can help you to quickly check the compliance of your devices and your development process with the relevant laws and standards (IEC 62304, IEC 62366, ISO 14971, and ISO 13485).
We also help you to avoid potential errors with specific, quick-to-implement tips, so that you can face unannounced audits with confidence.
