Unannounced Audits by Notified Bodies
Unannounced audits are random sampling checks of the quality management systems by notified bodies with the aim of
- finding out if medical device manufacturers are working in conformity with their quality management system (eg according to ISO 13485),
- being able to identify deviations and react quickly and
- to uncover fraud in a more reliable way.
By now there is some experience with unannounced audits.
History of unannounced audits
The emphasis on unannounced audits is a result of the breast implant scandal, after which the demand emerged to check medical device manufacturers not only in the context of the ISO 13485, but also to take unannounced and random samples to ensure that the requirements of the QM system are met in everyday work.
As little as the hardliners at the amendment of the Medical Devices Directive, or the Medical Devices Regulation could enforce, it still seems the EU is serious about some intensification. The Notified Bodies are now committed to these unannounced audits and do perform them. They are almost as unpopular with the auditors as they are with the audited - the manufacturers.
Conducting unannounced audits
What is checked in unannounced audits
An aggravation applies to unscheduled audits by notified bodies. The EU has published a recommendation on how these audits should be carried out. For example, the following is to be checked:
- Is there a precise intended use description?
- Is the product correctly classified?
- Are the general performance and safety requirements met?
- Are the hazards determined?
- Are risks minimized as much as possible?
- Is there a acceptable risk-benefit ratio?
A representative of a notified body reported that they would take care, especially in unannounced audits, to check whether the documentation is up to date and whether the products actually comply with the criteria. The first point concerns the development a lot more, the second the production.
This prioritisation is understandable: after all, one wants to ensure that medical device manufacturers do not, in preparation for regular audits, bring everything to order and in doing so, not comply with the requirements of its own quality management system, or even deliberately violate them. With an unannounced audit the manufacturer has no chance, for example,
- to update or improve outdated or missing developing documents
- to conceal missing product tests
- to falsify records of product testing.
How often do unannounced Audits take place?
A representative of a notified body revealed to me what criteria they use to choose the manufacturer and to determine the frequency with which they audit individual manufacturers. There are three parameters:
- The risk that arises from the products. In this case, the notified body orientates itself above all on the classifications in accordance with MDD (I, IIa, IIb, III).
- The problems that it has had with the product or product category in recent years. It is irrelevant whether this information originates from the manufacturers themselves or from other sources such as the BfArM reports.
- The extent to which producers make themselves suspicious, especially in an audit. Auditors have a good feel whether or not manufacturers act honestly. They notice, even if they can not always prove it, whether the quality management system is practiced or if it's just a Potemkin village.
The EU demands are more specific:
The notified bodies should carry out unannounced audits at least once every three years. They should increase the frequency of unannounced audits when the products pose a significant risk, when the type of products in question are often not compliant or when certain information suggests that there is a non-conformity of the products or from the manufacturer. The schedule of unannounced audits should be unpredictable. Basically, an unannounced audit should not take less than a day and should be carried out by at least two examiners.
The Medical Device Regulation writes in Annex IX, chapter 3.4:
The notified body shall randomly perform at least once every five years unannounced audits on the site of the manufacturer and, where appropriate, of the manufacturer's suppliers and/or subcontractors, which may be combined with the periodic surveillance assessment referred to in Section 3.3. or be performed in addition to that surveillance assessment.
Assistance in preparing for unannounced audits
If the thought of unannounced audits scares you, then sign up. With our team of auditors and risk management, quality management, usability and software experts we can help you to quickly check the compliance of your products and your development with the relevant laws and standards (IEC 62304, IEC 62366, ISO 14971 and ISO 13485).
We also help you with specific, actionable advice to quickly iron out potential errors; so you can look forward to unannounced audits.