Current travel restrictions, combined with the necessity to maintain regulatory certification programs, have driven certification bodies to find alternative methods of assessing the conformity of medical device manufacturers’ quality management systems (QMS).
Various regulatory guidance documents regarding CE marking and the MDSAP describe remote audits as a temporary extraordinary measure that may be used to evaluate product and system compliance.
Being adequately prepared for these remote audits is key to ensure smooth communication of required elements and a successful conformity evaluation outcome.
- Remote audits in the current context of COVID-19: the EU-MDCG and the MDSAP
The MDCG 2020-4 guidance document defines the measures to be followed by Notified Bodies to perform their assessment activities in cases where travel is extremely limited . Alternatives to on-site audits are defined by the Notified Body on a case-by-case basis using a risk-based approach, and may include: postponement of surveillance audits, performing remote audits, conducting off-site assessments of required documentation, and taking into account recent results of MDSAP audits (or other appropriate types of audits). The measures described in this guidance document may be applied to surveillance audits and re-certification audits under the medical device Directives, as well as audits required following a change notification or where a manufacturer wishes to change notified bodies.
It is possible to apply these same measures to initial certification audits, audits to extend the scope of certification, unannounced audits, special audits, or even certification audits under the Medical Device Regulation (MDR); however, this must be considered on a case-by-case basis and at the discretion of the notified body, and only in exceptional cases where it is in the best interest of public health and safety.
The MDSAP Transmittal Number 2020-05 sets out similar measures related to this international certification program. There are, however, important differences in the overall approach. Not only is the use of remote audits is limited to surveillance audits and re-certification audits, but the period of validity of MDSAP certificates renewed through a remote audit process cannot exceed 6 months.
Both guidance documents require auditing organizations to establish procedures describing the requirements in terms of information and communication technologies and tools necessary to carry out remote audits, as well as the documentation to be prepared (e.g. audit plan, audit report, etc.). The need to adjust the duration of the audit depending on limitations of the technologies used must also be evaluated.
Once generalized lockdown is lifted, auditing organizations will have to review and adjust their audit programs for each manufacturer to ensure that all required elements will be assessed over the certification cycle. Re-certification audits that were performed remotely will have to be supplemented by an on-site audit scheduled within an appropriate timeframe.
FYI: the IAF ID3: 2011 informative document describes an internationally recognized approach to the management of extraordinary events or circumstances affecting, conformity assessment bodies, accreditation bodies, and certified organization.
- Preparation for a successful remote audit
a) Audit program and objectives
It is important to keep in mind that the remote audit is not to be viewed as an inferior method of performing on-site audits. The ISO/IEC 17021-1:2015 standard, which defines the requirements for auditing and certification bodies, even lists remote audits as a possible evaluation method.
As previously mentioned, audit programs must be adjusted for each certified company and must allow, over the course of the certification cycle, to cover all requirements relating to their QMS. It is all the more important for notified bodies or auditing organizations to maintain their audit program as current travel restrictions may have a direct impact on product conformity (e.g. reduction in qualified staff working on-site for manufacturers and subcontractors, increased or reduced production rates).
For the certification body, the objectives of the remote audit remain the same as those of an on-site audit. For example, according to the scope of the audit, a notified body must still assess the compliance of the QMS implemented by a manufacturer with the European regulatory requirements.
The methods, procedures, and sampling criteria used to conduct a remote audit also remain the same: initial interview, analysis of documents and records, observation of activity, collection of evidence of compliance, and establishment of audit findings including non-conformities.
b) Planning and preparation
The stakes are high: maintaining and renewing certificates allows the continued placing on the market of medical devices. It is imperative to spend a significant amount of time and involve other functions within the company to both prepare internally, and to work with the Notified Body or the auditing organization in planning the remote audit.
According to the MDCG 2020-4 guide, prior to the remote audit, the Notified Body shall indicate the documentation that they will require both before and during the audit. A confirmation that the required information and communication technologies or tools will be available will also be requested. Manufacturers should give precise answers and prepare for the possibility of having simultaneous videoconferences in the case of there being several auditors.
Depending on the QMS document management system, auditors may request that certain information recorded in paper format be directed scanned and uploaded (e.g. selection of a handwritten batch record). Manufacturers should prepare for this type of demand.
Upon receiving the audit plan, a contact person within the company must be defined per topic. This person must be available to answer questions and provide requested data via the pre-defined electronic means. Manufacturers must mobilize their teams in the same way they would if the auditors were physically present.
If potential obstacles are identified in the audit plan, manufacturers should immediately contact the audit manager in order to determine alternative solutions. The audit plan may then be adapted accordingly.
The audit team may request simplified site plans to understand the infrastructure and workflows.
Finally, scheduling adjustments should be made if the participants in the remote audit are not all in the same time zone.
c) Technology Tools
A procedure that identifies the means and instructions to enable remote audits should be implemented. Before conducting the audit, the Notified Body will verify the capacity of the manufacturer to participate in a remote audit from a technological perspective. It is important to have a secure videoconferencing system in place and a secure internet access with sufficient bandwidth to allow safe and quick sharing of information. Some certification bodies are also experimenting with the use of webcams for production line audits. The confidentiality of intellectual property and personal data must be preserved. IAF MD provides further guidance on these aspects.
A team must be ready at all time to immediately resolve any IT and technical difficulties experienced during the remote audit.
d) Good practices for remote communication
Manufacturers which has experience with on-site audit practices must prepare differently for remote audits. This poses a new challenge for the entire audit team. In terms of communication, even during a videoconference, only the verbal and vocal elements will be easily perceptible. Mannerisms, gestures, facial expressions, and body language are not communicated through a webcam and thus about 60% of what is captured in an ordinary exchange is lost. This is even more true if the language of the audit is not the working language of the participants.
It is therefore important to focus effort on making exchanges more fluid. First, one person in the company should be designated as the “guide”, i.e. the person who will facilitate and assist the team throughout the entire audit. The guide will ensure that the various interlocutors are clearly identified by name and function at all times. He or she will also be able to rephrase the audit team’s questions and ensure that the answers provided are understood by the auditors. It is advisable to frequently check whether the audit team considers that the data transmission methods enable them to correctly perform their tasks. It will also be necessary to express any difficulties encountered by the audit team in real-time. Finding quick solutions for continuing the audit under conditions that are compatible with the audit objectives is also key.
Actively listening and participating in front of the screen requires a lot of energy. It is a good idea to plan more frequent breaks than during an on-site audit. It should be noted that the auditing organizations are asked to adapt the duration of their audits accordingly.
The guide will ensure that video-conferencing courtesy is respected (information on microphone breaks and the use of the recording function).
e) Conduct of the audit
During a remote audit, interviews with staff are conducted, as well as guided reviews of selected documents and records, using screen and/or file sharing. Auditors must be able to apply their sampling and data selection process. Some QMS procedures and activities are easy to audit remotely, such as control of subcontractors, corrective and preventive actions, management review, internal audits, and validation files. Otherwise, if this is provided for in the audit plan, the auditors may ask to directly observe an activity or process via webcam, whether it be through a mobile phone, tablet, etc.
It is also possible that auditors, who may not be in the same location, want time to exchange information with each other or to review a particular document. This may be followed by a question-and-answer period with the manufacturer.
The maintenance or renewal of regulatory certification allowing the continued marketing of medical devices is the final and critical outcome of a successfully and properly conducted remote audit. It is therefore recommended to identify and allocate the time and resources necessary to prepare for this type of audit, the objective of which remains to verify QMS compliance. It is also necessary to adapt communication methods during the audit itself to ensure a solid mutual understanding of all available evidence of compliance provided. Finally, the means for controlling the security of data exchanged electronically must be defined and implemented.
Up until now, remote auditing of QMS was limited to a few specific cases. Given current quarantine measures and travel restrictions, it is now being widely used. The experience we are gaining during this time will likely serve as a basis to further develop this means of conformity assessment, and to improve its reliability. Remote audits could continue to be used by certification bodies as a complementary means depending on what is allowed for in their respective certification schemes. It will also be necessary to determine what the Regulations (EU) 2017/745 and 746 allow for in the context of CE marking. Remote audits could also be developed to assess subcontractors and service providers or to perform internal audits.
Here at nexialist, we are developing robust methods to carry out remote audits as part of our internal audit services.
- EU Medical Device Coordination Group (MDCG). Guidance 2020-4 on temporary extraordinary measures related to medical device Notified Body audits during COVID-19 quarantine orders and travel restrictions
- MDSAP Regulatory Authority Council Transmittal 2020-05 on Temporary Extraordinary Measures Related to MDSAP Audits During COVID-19 Quarantine Orders and Travel Restrictions. Remote Audits
- ID3:2011 (IAF Informative Document For Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations)
- International Organization for Standardization (ISO). Guidelines for Auditing Management Systems. ISO 19011: 2018
- IAF MD 4 (Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing/Assessment Purposes)