Illustration of an Auditor Observing Documents with a magnifying glass

Medical Device Audits: Overview, and Tips

by | Feb 25, 2022 | Audits, Medical Devices

Being a medical devices company, you are well aware of the fact that your products must be made to the highest standards and serve their intended purpose.

Let us take the example of absorbable sutures, a Class III medical device, which your company manufactures and markets across the globe. The absorbable sutures manufactured by your company are much sought after, not least that they are safe, efficacious, and are made to the highest industry standards.

The safety and efficacy of the product are vouched for by your customers. On the other hand, when you successfully pass audits conducted by international regulatory bodies, you are maintaining the highest industry standards.

This article will introduce medical device audits and cover the following sections:

What Is an Audit in the Medical Device Industry?

As per ISO 19011:2018 (section 3.1), an audit is defined as:

“Systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria  are fulfilled.”

This means that the international regulatory agencies will evaluate your medical devices company to find out whether the products you manufacture and market are in agreement with regulatory prerequisites and GxPs. This is referred to as a “medical device industry audit”.

Let us look at the example of the absorbable sutures mentioned at the beginning of this article. You will first be audited by regulatory agencies of the countries you wish to sell the product, before actually marketing it.

Ways in Which Medical Device Audits Are Conducted

The audits of your medical devices company can be in one of three ways:

  • On-site audits
  • Remote audits
  • Self-audits

On-Site Audits

This type of audit comes under stage II of the certification audit by the regulatory agency. Once the agency has suitably determined that your company is ready for the main audit (stage I), it will do an on-site audit wherein all documented information will be reviewed, your staff will be interviewed, and it will verify that your company meets all required regulatory requirements.

Let us look at the example of absorbable sutures. If your company is planning to market these in the EU, you will need to get an ISO 13485:2016 certification. The second step in this process is the on-site auditing by Notified Bodies.

Remote Audits

A remote audit is similar to on-site auditing. Here, the auditor connects with you using different types of technology to review your documents, tour the premises, interact with your staff, and attend all presentations.

You will need to use various tools for file sharing, video conferencing, screen sharing, and/or Electronic Quality Management System (eQMS) for sharing or reviewing all required documents with the regulatory agency.

Remote Auditing Tools and Technologies

We recommend you read an article on remote auditing best practices in life sciences, which offers tips on remote auditing. Especially with the ongoing pandemic that has put a lot of restrictions on people and companies alike.

Self Audits

Self-audits or internal audits are conducted regularly by medical devices companies as part of compliance with regulatory standards. Such audits are also valuable exercises to ensure that your company’s documents and QMS are effective. Internal audits must be conducted by staff not directly involved with the audited matters.

For instance, when you start marketing your absorbable sutures, you will be required to conduct regular self-audits to ensure that the products are manufactured as per planned and documented arrangements.

You can manage your audit-related documentation including audit plans, audit reports, audit findings more efficiently by using a QMS software solution with a built-in audit management software module like SimplerQMS. It automates audit-related tasks and allows you to easily link audits with a non-conformance, CAPA, or supplier corrective actions request (SCAR).

What Are the Major Medical Device Audits?

Major medical device audits faced by companies include the US FDA 21 CFR Part 820 and ISO 13485:2016.

FDA 21 CFR Part 820: This FDA regulation refers to medical device Quality System Regulations (QSR) for manufacturers of medical devices. The document emphasizes the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished products that are intended for human use. This also includes your facilities and designs that are applicable for said products.

ISO 13485:2016: This international standard specifies the requirements for a QMS when a medical device manufacturer has to demonstrate their ability to provide medical devices and related services that unfailingly meet both customer and pertinent regulatory requirements.

When you market your products only in the US, you will need to comply with FDA 21 CFR Part 820. This is a legal obligation and non-compliance will lead to citations, fines, and even litigation.

If you are marketing only in the US, ISO 13485:2016 certification is not mandatory. However, if you are planning to market in the EU, you are required to get the ISO 13485:2106 certification.

Following this, you must apply for the CE mark. This is a mandatory requirement for all items sold within the European Economic Area (EEA) since 1985.

EU Notified Body Audits

You will be audited by the Notified Bodies in the EU, depending on the classification of the medical devices that you manufacture.

The Notified Body will assess the medical device quality management system (QMS) of your company based on ISO 13485:2016 requirements and give the necessary certification against MDR or IVDR. With this certification, you can apply for the CE marking.

Certification audits are generally conducted in two stages. In stage I, the auditor will review all documents and determine whether you are ready for the main audit. In stage II, which is always on-site, the auditor will review all documents and processes, interview staff, inspect facilities, and verify whether you meet ISO 13485:2016 standards.

ISO 13485 Audit for Certification

Recommended Reading: ISO 13485:2016 Audit: Overview, Audit Types and Execution

As already mentioned, once you are certified, you can go ahead with applying for the CE marking.

At this stage, we recommend you consider implementing medical device QMS software such as SimplerQMS. With such software, you will be able to securely store and manage all the required CE marking or other regulatory submission documentation for each and every product that your company manufactures.

The certification audits are then followed by surveillance audits wherein the auditor will ensure that you are continuing to comply with ISO 13485:2016 in a given timeframe. Also, you will need to undergo recertification audits once every three years after the initial certification audit has been completed.

The frequency and scope of the audits depend on the class of medical device that your company manufactures and markets. If you want to learn more about medical device classes, check out our guides on FDA medical device classification and EU MDR medical device classification.

FDA Audits

When you market your products in the US, you come under FDA regulations, specifically FDA 21 CFR Part 820. The FDA conducts several types of inspections:

  • Pre-Approval Inspections (PAI)
  • Routine Inspections
  • Compliance Follow-Up Inspections
  • “For Cause” Inspections

Pre-Approval Inspections (PAI)

With pre-approval inspections (PAI), the FDA is assured that your manufacturing site named in the application can manufacture the product and that the data you have submitted is both complete and accurate. The result of such an inspection is that the FDA inspectors may or may not recommend approval.

Routine Inspections

As per law, routine inspections will be every two years for your Class II and Class III medical devices.

The FDA follows the Quality System Inspection Technique (QSIT) that identifies the following subsystems in your quality management system (QMS):

Compliance Follow-Up Inspections

When a regular FDA inspection of your company has resulted in a Warning Letter or significant 483 observations, the FDA will conduct a compliance follow-up inspection.

Herein, they will verify the actions that you have taken in response to those observations.

“For Cause” Inspections

If an issue has been reported to the FDA regarding one of your medical devices, a “for cause” inspection will be conducted.

 These issues can be reported by:

  • The company itself (a product recall)
  • A user
  • An employee of your company

While such inspections usually focus only on the specific problem reported, they could lead to inspection of apparently disparate operations.

Medical Device Single Audit Program (MDSAP)

Another type of certification preferred by some medical device companies goes by the name of the Medical Device Single Audit Program (MDSAP).

The manufacturer will receive a single audit that will achieve up to five regulatory quality system requirements, all within the cost of one audit. If you wish to have such an audit conducted, you will need to approach an Auditing Organization (AO) that is authorized by the regulatory agency.

What Are the Types of Medical Device Audits?

There are three types of medical device audits internal, external, and unannounced audits. Let’s look at each in more detail.

Internal Audits

Internal audits are required by both FDA 21 CFR Part 820.22 and ISO 13485:2016 (section 8.2.4) requirements.

As the name suggests, employees of your company, who are not directly associated with the medical device product, can conduct the auditing. You can also have third-party consultants carry out these audits.

External Audits

External audits are also labeled as second-or third-party audits. An outside party who has a stake in your company, be it a supplier or a customer, can conduct a second-party audit. Third-party audits are conducted by external independent agencies, namely, Notified Bodies or regulatory authorities.

When your company audits an existing or a potential supplier, it is referred to as a supplier audit. This is to ensure that all quality standards are met. There are multiple benefits with external audits, some of which are increasing efficiency, reducing risks, ensuring compliance with regulations, and increasing confidence in supplier agreements.

Let us revisit your absorbable sutures. Your company is looking for a potential supplier for polyglycolic acid (PGA) with which the product is made. Therefore, you must do a supplier audit of the potential supplier before signing a contract to ensure that the materials are of the highest standards.

Unannounced Audits

Furthermore, notified bodies or regulatory agencies can conduct audits of your company without prior notice. These are called unannounced audits and their frequency will depend on the class of medical devices that your company manufactures. It can take place at least once every three years. The same rules will apply to supplier audits.

Going back to our example, once you have a regular supplier for polyglycolic acid (PGA), you will conduct unannounced audits at least once in three years to ensure that all quality standards are in place for the production of this material.

How to Prepare for Medical Device Audits?

When preparing for medical device audits, certain areas are very important.

Review All Documents

“Documents, documents, documents.”

You will need to review all documents pertaining to previous audits and also review all systems and processes.

Not only will you have to review batch records, design history files, device master records, device history records, change controls, SOPs, non-conformances, and others, you will also need to ensure that all supporting documents and records are accessible.

Since there will be a huge number of documents and records, an eQMS will be most useful. Some of the key document control capabilities a QMS software provides include a centralized repository, version control, time-stamped audit trails, electronic signatures, and more. Furthermore, your QMS subsystems like Design Controls and NC/CAPA Management can be linked in the eQMS for improved traceability.

Recommended Reading: Medical Device Document Control: What It Is & How to Simplify It

Prepare an Audit Plan

You need to have a plan of action ready that will outline the different stages in the auditing, culminating with the certification.

With the help of the audit management software module, you can easily bundle all upcoming audits under a single audit plan and streamline audit-related tasks by automating data collection, follow-ups, escalation of activities, and email notifications to the right personnel.

Train the Team and Delegate Responsibilities

Select the most conversant of your employees in each department and train them to answer all the potential questions the auditor can ask.

You will also delegate tasks to appropriate personnel in each department. Give them the audit plan and ensure that all tasks are completed on time.

By using QMS software automated workflows like SimplerQMS, you can ensure that the relevant persons are notified when they are assigned a specific task.

Get Ready for Both On-Site and Remote Auditing

The initial stages of the audit may be conducted either on-site or remotely. The latter is particularly true during the ongoing pandemic, considering the restrictions on people and companies alike.

In both types of audits, the auditors will probe your company in alignment with the scope of the audit.

Remote auditing (or electronic auditing) is a virtual audit conducted using electronic systems to acquire evidence. To learn more about remote auditing, check out our guide on remote auditing best practices.

While auditing can be stressful for the company, you can mitigate this by ensuring that you have a plan of action for the inspection ready and the necessary digital tools to respond to the auditor’s questions successfully.

Audit Management Software for Medical Devices

If you are still using the traditional paper-based systems for your documentation and auditing purposes, you would have realized that it is cumbersome and time-consuming.

Rather, you can shift to the cloud-based QMS software solution with powerful audit management capabilities that can help you automate audit-related documentation processes so that you can pass audits successfully.

These days, an audit management software solution is essential for any medical device organization looking to increase efficiency and ensure compliance with all applicable regulations. It automates tedious audit-related tasks, seamlessly integrates with your quality management system (QMS). This ensures that documentation remains accurate and complete, moreover, allowing you to greatly reduce time spent on these endeavors in comparison with manual approaches!

Final Thoughts

Being in the medical devices industry, you understand that your products touch the lives of multitudes of people across the globe. Hence, you must abide by the highest industry standards. This is ensured by being certified by international regulatory agencies and standards such as the US FDA 21 CFR Part 820 and ISO 13485:2016. For the purposes of certification, you will be audited, and as we discussed in this article, there are different types of audits, namely internal, external, and unannounced audits.

A lot of documents and records need to be maintained for these purposes.

By investing in the SimplerQMS audit management software, you have a ready-to-use solution for automating audit-related documentation activities and streamlining the entire process. If you are interested in learning more about how the SimplerQMS software solution can help you become audit-ready, we recommend booking a personalized demo and talking to your experts.

eQMS Business Case Template

Illustration of eQMS Business Case Template