How do you prepare for unannounced audit visits?

Unannounced audits apply to all EC Certificate holders (legal manufacturer), regardless of what directive the devices are covered by. This not only applies to legal manufacturers located in Europe, but to all EC Certificate holders, regardless of whether the manufacturer resides in Europe or outside the European Economic Area (EEA).

Where a company holds an EC Certificate, but is an OEM producer for another company, unannounced audits still apply, regardless of whether the devices are sold under the manufacturer’s own brand name or as an OEM product. Likewise, an EC Certificate holder which exports products solely to countries outside of the EU will receive unannounced audits, even though the devices are placed on markets outside the EEA.

The scope of unannounced audits is considerably different from routine surveillance and recertification audits. Unannounced audits are much shorter as they focus on a particular product, at the facility where it is manufactured, with the aim of assuring day-to-day compliance of the product itself, while surveillance audits are focused on quality management systems. Therefore, the European Commission decided that unannounced audits should be conducted in addition to the regular auditing programme. This process therefore requires additional investment, both time and money, from manufacturers. Given this, manufacturers should factor the additional costs related to unannounced audits in their budgets.

There will be no prior notice for any unannounced audits. If the auditor is not allowed to enter the company, this will be documented in the audit report and a recommendation made that the certification board suspends the certification in question.

Device selection
Notified Bodies will select products which they consider to have a high likelihood of non-conformity. Other criteria they may use include:

• Media reports and news about malfunctions.
• High risk devices.
• Information from the market based on malfunctions of similar products.
• Information or inquiries from the authorities.

The European Commission Recommendation refers to ‘device types’ to be sampled. As a medical device industry Notified Body, TÜV SÜD regards ‘device types’ to be defined by the maximum configuration; a list of components/sub-assemblies; plus a description of how the models are constructed from the maximum configuration and list. All models which are included in the device type typically have a common design, construction, parts or assemblies essential to ensure conformity with applicable requirements.

For the same device, there may be differences in defined device types that are dependent upon the same nature or type of the compliance criteria applied (e.g. area of application [intra-cardiac catheter], application range [bone screws], safety, EMC, performance, effectiveness, etc.). In the context of a specific standard, if the product standard defines a device type, this definition takes over.

Verify your author
Verification and authentication of the auditor is a very important step that manufacturers must take in order to safeguard themselves. The responsibility lies with the manufacturer to ensure that the auditors are genuine.

As an example, TÜV SÜD has a very clear process for verifying and authenticating the auditors:

• Upon arrival of the audit team on the manufacturer’s site, an authentication letter is handed to the manufacturer by the audit team.
• The manufacturer can contact their local TÜV SÜD contact person/office and ask for a verification of the unannounced audit, based on the information provided in the authentication letter.
• Upon request, a copy of the authentication letter can be faxed or e-mailed to the client.

What happens during an unannounced audit?
Unannounced audits are performed to verify the effective implementation of a Quality Management System, based on a randomly selected representative product. If needed, this can be more than one product, in order to assess if it has been manufactured in accordance with the technical documentation. As unannounced audits are conducted at the facility in which a product is manufactured, if a company has several product lines and/or several manufacturing sites, all products and sites will be subjected to an unannounced audit.

A team of two auditors will be on site for a minimum of one full day, but it may last multiple days. Mandatory elements for all unannounced audits include:

• Conformity of selected device with the technical documentation and with legal requirements.
• Traceability of all critical components and materials.
• Traceability system.
• Conformity of the following with legal requirements:
• Manufacturing activity ongoing at the time of the unannounced audit.
• Manufacturer’s documentation relevant for the manufacturing activity.

Manufacturers are asked to categorise their product portfolio of all CE certified models into device types. A definition for each device type must be available and include the following information:

• The complete range of models (product codes) included in the device type.
• The criteria applied to include this range of models in a device category.
• A description of how the models are constructed.
• A list of components.
• A list of sub-assemblies.
• Information on critical suppliers/outsourced processes, in particular testing.

Once the audit has been completed, the manufacturer will receive a confidential audit report and, if applicable, an audit finding list which details any major non-compliances that were detected during the unannounced audit.

Notified bodies
In 2014, various European authorities, such as the Zentralstelle der Länder für Gesundheitsschutz bei Arzneimitteln und Medizinprodukten (ZLG) of Germany and the UK’s Medicines and Healthcare products Regulatory Agency (MHRA), required that Notified Bodies fully implement their unannounced audit programmes.

Across the EU, all unannounced audits have to be performed by all Notified Bodies for manufacturers of devices under the new Medical Device Regulation (MDR), which came into force in May 2017 and will replace the current Medical Device Directive (93/42/EEC) and the Directive on active implantable medical devices (90/385/EEC) on 26th May 2020). The European Commission expects Notified Bodies to perform unannounced audits as a separate function to product assessments and quality system assessments.

For quality management related certificates, sample testing is not mandatory. However, it may occur if the unannounced audit team has reasonable doubts about the conformity of the device type(s). In this case, a product sample will be chosen for further inspection and testing, and if critical processes are subcontracted or critical parts are purchased from a supplier, the Notified Body may also conduct an unannounced audit of an OEM’s facilities.

Testing a product sample on-site, with the Notified Body auditor as a witness may be possible. Other options include the testing of samples by the Notified Body’s laboratory, or by qualified personnel under one of the following:

• Under Notified Body observation on their premises.
• On the manufacturer’s premises.
• On the premises of the manufacturer’s OEM.
• In qualified external laboratories.

Conformity testing
If sampling at the manufacturer’s premises is not feasible, Notified Bodies should take samples from the market if necessary (with support by the competent authorities), or should perform testing on a device installed at a customer location. If it is possible to perform tests on raw materials, intermediates, components or unfinished products, these tests will take place instead of destructive tests on final devices. However, the device acquisition and its testing must be financed by the manufacturer.

Testing of device conformity will be done in accordance to ANNEX III Section 4 of the European Commission’s Recommendation 2013/473/EU, with the main focus on the safety and performance of the device. Possible tests include:

• Microbiological safety testing.
• Mechanical safety testing.
• Packaging testing.
• Performance testing.
• Electrical safety testing.
• Functional safety testing.
• EMC testing.

In some cases, testing will duplicate design verification testing or other testing previously done by the manufacturer, and the manufacturer’s product experts will not be engaged during the Notified Body’s product test planning stage. This is because the products will be tested against the manufacturer’s specification, which are part of the required technical documentation.

To ensure a correct testing procedure and reliable results, the following information and documentation must be provided by the manufacturer:

• Complete product specification(s).
• Final batch testing report(s) of the selected samples.
• Test protocols and results from design verification and design validation (or type examination).
• Test description and instructions, and related forms if applicable.

When testing is performed on the manufacturer’s own site, the manufacturer will use its own personnel and laboratory test equipment, with the Notified Body’s personnel supervising the tests.

Finding non-conformities
The unannounced audit plays an important role in maintaining certification of a manufacturer regarding the European Medical Device Directives. Therefore, it is possible that certification can be suspended, if the audit result is inadequate, and products could not be placed on the European market until the certification is deemed valid again by the Notified Body. If major non-compliances are detected during an unannounced audit, the manufacturer will receive an Audit Finding List and will be given a maximum of 60 days to respond to the non-conformities and present the root cause analysis, correction and corrective action plan or implementation.