How do you prepare for an unannounced audit visit from a notified body? Richard Poate, medical health services business line manager at product testing and certification organisation Tüv Süd Product Service gives his thoughts.
Coping with medical unannounced audits
The European Union (EU) has a mandatory requirement for notified bodies to conduct unannounced audit visits, at least once in every third year, to all manufacturers certified under one of the European medical device directives. This not only applies to legal manufacturers located in Europe, but to all EC Certificate holders, regardless of whether the manufacturer resides in Europe or outside the European Economic Area (EEA).
Where a company holds an EC Certificate, but is an OEM producer for another company, unannounced audits still apply, regardless of whether the devices are sold under the manufacturer’s own brand name or as an OEM product. Likewise, an EC Certificate holder which exports products solely to countries outside of the EU will receive unannounced audits, even though the devices are placed on markets outside the EEA.
The scope of unannounced audits is considerably different from routine surveillance and recertification audits. Unannounced audits are much shorter as they focus on a particular product, at the facility where it is manufactured, with the aim of assuring day-to-day compliance of the product itself, while surveillance audits are focused on quality management systems. Therefore, the European Commission decided that unannounced audits should be conducted in addition to the regular auditing programme. This process therefore requires additional investment, both time and money, from manufacturers. Given this, manufacturers should factor the additional costs related to unannounced audits in their budgets.
There will be no prior notice for any unannounced audits. If the auditor is not allowed to enter the company, this will be documented in the audit report and a recommendation made that the certification board suspends the certification in question.
Verify your auditor
Verification and authentication of the auditor is a very important step that manufacturers must take in order to safeguard themselves. The responsibility lies with the manufacturer to ensure that the auditors are genuine.
As an example, Tüv Süd has a very clear process for verifying and authenticating the auditors:
- upon arrival of the audit team on the manufacturer’s site, an authentication letter is handed to the manufacturer by the audit team;
- the manufacturer can contact their local Tüv Süd contact person/office and ask for a verification of the unannounced audit, based on the 3 provided in the authentication letter;
- upon request, a copy of the authentication letter can be faxed or emailed to the client.
What happens during an unannounced audit?
Unannounced audits are performed to verify the effective implementation of a Quality Management System, based on a randomly selected representative product. If needed, this can be more than one product, in order to assess if it has been manufactured in accordance with the technical documentation. As unannounced audits are conducted at the facility in which a product is manufactured, if a company has several product lines and/or several manufacturing sites, all products and sites will be subjected to an unannounced audit.
A team of two auditors will be on site for a minimum of one full day, but it may last multiple days. Mandatory elements for all unannounced audits include:
- Conformity of selected device with the technical documentation and with legal requirements;
- traceability of all critical components and materials;
- traceability system;
- conformity of the following with legal requirements;
- manufacturing activity ongoing at the time of the unannounced audit;
- manufacturer’s documentation relevant for the manufacturing activity.
Key processes, including design control, establishment of material specifications, purchasing and control of incoming material and components, assembling, sterilisation, batch release, packaging, and product quality control will be carefully examined. This list is not an exhaustive list and other relevant processes may be examined as well.
Manufacturers are asked to categorise their product portfolio of all CE-certified models into device types. A definition for each device type must be available and include the following information:
- The complete range of models (product codes) included in the device type;
- the criteria applied to include this range of models in a device category;
- a description of how the models are constructed;
- a list of components;
- a list of subassemblies;
- information on critical suppliers / outsourced processes, in particular testing.
Once the audit has been completed, the manufacturer will receive a confidential audit report and, if applicable, an audit finding list which details any major non-compliances that were detected during the unannounced audit.
Notified bodies
Across the EU, all unannounced audits have to be performed by all notified bodies for manufacturers of devices under the new Medical Device Regulation (MDR), which came into force in May 2017 and will replace the current Medical Device Directive (93/42/EEC) and the Directive on active implantable medical devices (90/385/EEC) on 26th May 2020). The European Commission expects notified bodies to perform unannounced audits as a separate function to product assessments and quality system assessments.
For quality management related certificates, sample testing is not mandatory. However, it may occur if the unannounced audit team has reasonable doubts about the conformity of the device type(s). In this case, a product sample will be chosen for further inspection and testing, and if critical processes are subcontracted or critical parts are purchased from a supplier, the notified body may also conduct an unannounced audit of an OEM’s facilities.
Testing a product sample on-site, with the notified body auditor as a witness may be possible. Other options include the testing of samples by the notified body’s laboratory, or by qualified personnel under one of the following:
- Under notified body observation on their premises;
- on the manufacturer’s premises;
- on the premises of the manufacturer’s OEM;
- in qualified external laboratories.
Conformity testing
If sampling at the manufacturer’s premises is not feasible, notified bodies should take samples from the market if necessary (with support by the competent authorities), or should perform testing on a device installed at a customer location. If it is possible to perform tests on raw materials, intermediates, components or unfinished products, these tests will take place instead of destructive tests on final devices. However, the device acquisition and its testing must be financed by the manufacturer.
To ensure a correct testing procedure and reliable results, the following information and documentation must be provided by the manufacturer:
- Complete product specification(s);
- final batch testing report(s) of the selected samples;
- test protocols and results from design verification and design validation (or type examination);
- test description and instructions, and related forms if applicable.
When testing is performed on the manufacturer’s own site, the manufacturer will use its own personnel and laboratory test equipment, with the notified body’s personnel supervising the tests.
Finding non-conformities
The unannounced audit plays an important role in maintaining certification of a manufacturer regarding the European Medical Device Directives. Therefore, it is possible that certification can be suspended, if the audit result is inadequate, and products could not be placed on the European market until the certification is deemed valid again by the notified body. If major non- conformities are detected during an unannounced audit, the manufacturer will receive an audit finding list and will be given a maximum of 60 days to respond to the non-conformities and present the root cause analysis, correction and corrective action plan or implementation.