Blog image

Unannounced Audits From A Notified Body – Your Questions Answered

21-10-2024

You know it’s coming, but you don’t know when. Under the EU’s Medical Device Regulation (MDR) part of the auditing cycle for your medical device includes an unannounced visit once every 5 years from your Notified Body. The visit may be inevitable, but that doesn’t mean it’s straightforward.

The good news is that the unannounced visit is very similar to the scheduled visits you’ve already received. And, thanks to our internal expertise (and first-hand experience!), we know there are actions you can take to ensure it goes as smoothly as possible. To help you prepare more effectively, we’ve compiled a list of common questions and answers.

1. Who will be present on site?

Typically, you can expect two auditors, following the four eyes principle that two people see more than one. You can also expect a third auditor – a trainee – who might be highly experienced but fulfilling a requirement to complete a certain number of training hours. 

When these representatives from your Notified Body knock on the door unannounced, ideally the people responsible for your quality assurance and regulatory affairs – your QA/RA Manager and your QMR (Quality Manager Representative) – need to be present.

Whenever one (or both) of these people is out of office, you need to have a standby system, in case there’s an unannounced visit. It’s advisable to put in place an agreed contact system.

2. What’s a ‘letter of intent’?

The audit team will arrive with a letter of intent outlining their credentials and what they’re going to do during the inspection. In general, the main purpose and scope of the day is compliance – proving that you’re doing what you say you are. 

They’ll check for instances of noncompliance, but if you’ve already notified them with any major changes, then there should be no surprises. Of course, anything that calls into question the safety of the product can have huge consequences for your business, including certification withdrawal or a product recall should the product be deemed unsafe. 

Remember that the auditors will want to see evidence of effective change management, so it’s likely that they’ll dig deeper until they find it. For that reason, it’s actually highly beneficial if you’ve documented minor changes, or you’ve been through the process of corrective action.

3.  What will the Notified Body want to see?

Unannounced audits have been part of Post Market Surveillance (PMS) for medical devices since 2014. Prior to the new regulation, they primarily took place on production sites to validate product safety. That’s the best way to inspect how the product is made, how it’s stored, and how it’s tested before being released. 

What the Notified Body examines will depend on the type of product you have. If you manufacture a physical medical device, it should be relatively straightforward. You’ll need to have your complete QMS and product information available for inspection. The Notified Body will request to see your production facilities, examining aspects such as emergency exits, safe escape routes, fire alarms and so on. 

4. How is Software as a Medical Device (SaMD) audited?

Since being reclassified as Class IIa, Notified Body inspections also now apply to Software as a Medical Device (SaMD). But when there’s no physical storage or production areas, what do they actually inspect? Think of the audit like a supply chain inspection, only for software. That includes any third-party components, the development team, and your product testing procedure. 

If applicable to your SaMD, another key focus will be the interaction between software and hardware. Software on its own is relatively low risk, but as soon as you introduce a physical component (like sensors) it becomes more complex and poses a greater risk. 

Software is a black box. You put something in, and something else comes out. It’s how you control the output that’s key. Your auditor is unlikely to be a coding specialist, so with software it’s your paper trail and processes that come under scrutiny. Change management is a major focus. Whilst significant changes have to be reported to the Notified Body, what about those smaller changes, perhaps triggered by a complaint? 

Here are some questions you may be asked:

  • How do you collect product feedback?
  • What do you do with the feedback?
  • How do you make improvements?
  • How do you handle complaints?
  • Has a complaint triggered a corrective action process?

5.  How do I prepare for an announced audit?

Being ready for an unannounced audit isn’t easy. But it is important. Should anything significant be uncovered by the announced audit – such as a major safety concern – you can face sanctions such as certificate withdrawal or product recall. Here are some things you can do to prepare:

1. Provide accurate availability 

Firstly, be aware that they’re never remote. They’re always on site. But you may need to call in an off-site expert to answer questions if needed. 

Also, every year, you’re asked to provide your availability to the Notified Body. Make sure you do this as thoroughly as possible to maximize the chances of the relevant people being available on the day. 

2. Ensure your QA/RA Manager and QMR are contactable

As we’ve already mentioned, your QA/RA Manager and/or QMR definitely need to be available. Also, at the end of the audit, someone from management needs to be available to sign off the visit – ideally the QMR. 

3. Document all changes and change sources

You know that the focus is on production, and part of production is change management. Having a clear audit trail documenting the source of any change – whether it’s via a complaint, feedback, or innovation – is crucial. 

4. Be ready for feedback on the day

Audits last one day. Auditors allocate one hour for discussion and reporting, before presenting you with their findings. Feedback is fast. You will receive verbal feedback on the day and a written report the next day. 

5. Feel free to ask questions and challenge assumptions

It’s important to ask your auditors questions, gently challenging their conclusions if needed. Do be aware that any nonconformities must be correlated to the relevant standard or clause of the MDR. It’s okay to ask which part of the MDR or which standard they’re referring to. 

The auditors expect you to seek clarification if something is unclear. By the same token, don’t feel you have to challenge every tiny nonconformity. It’s often much easier and faster for everyone involved to accept minor nonconformities and resolve them. 

6. Are you ‘unannounced audit-ready’?

If you’re well-equipped to go through a regular audit, this one shouldn’t be a problem. 

Our advice? Make sure you have a robust Quality Management System (QMS) in place and keep your processes as transparent and streamlined as possible. That’s where Peercode can help. 

Our regulatory experts can help you prepare for Notified Body audits – unannounced or otherwise – by conducting our own audit of your QMS and production facilities. Our team of regulatory experts will take a deep dive into your systems and production facilities, providing you with practical guidance and steps for improvement, so you can be as audit-ready as possible.

Want to be ready for the unexpected? Speak to our regulatory experts today. Contact us