Medical device audits can be a source of stress for developers and manufacturers. But what exactly are the auditing requirements in the EU and US market, who will conduct them, when and how?
What is a medical device audit?
A medical device audit is a systematic, documented process which seeks to obtain evidence that products are created in compliance with regulatory requirements and GxP. They can be carried out by notified bodies and government agencies on an announced and unannounced basis. But they also need to be conducted internally as part of your company’s ongoing regulatory obligations.
While many markets operate separate auditing regimes to prove compliance with their regulation, the MDSAP (Medical Device Single Auditing Programme) now offers the prospect of more streamlined compliance for access to key markets around the world.
- Audits by EU Notified Bodies
- FDA audits
- Unannounced audits (conducted by regulators and certifying bodies)
- Internal audits
Audit by notified bodies in the EU
Depending on the categorisation of your medical device, you will need to be audited at your premises by a Notified Body (NB). The Notified Body will certify you against the requirements of the MDR 2017/745 or IVDR 2017/746 so that you can apply for a CE marking. They will also assess your Quality Management System against the requirements of ISO 13485:2016.
It is up to the medical device company to appoint a Notified Body to audit them and assess if they meet the required standards.
An initial certification audit is typically conducted in two stages during which:
- Documentation is reviewed against the requirements of the medical device regulation and ISO 13485
- The implementation and effectiveness of a company’s QMS is evaluated against the relevant standard
Every audit consists of:
- An opening meeting - Defines the scope of the audit, roles and responsibilities. The audited company delivers a presentation about their company to the auditor covering their quality processes, organisational structure, security procedures etc.
- An audit of the quality management system. This will include visits to departments, interviews with key personnel and subject matter Experts (SMEs). Auditors ask questions and make real time requests of the audited company for documentation and other evidence of a compliant QMS and production facilities.
- Closing meeting. During the closing meeting the lead auditor presents all the findings of the audit and the follow-up actions of the findings.
If and when the business gains ISO 13485, it means a valid QMS system has been established, the medical device company can apply for a CE marking and be legally marketed in the EU.
This initial audit is followed by regular scheduled ‘surveillance audits’, including examination of documentation and physical inspections of a site, to ensure standards are being maintained. Regular recertification audits are also required for ISO 13485.
The frequency and scope of these audits depend on the classification of your device which reflects the level of risk your product poses to users.
Unannounced audits by notified bodies
Medical device manufacturers are also subject to unannounced audits by notified bodies at least once every three years. This will increase in frequency according to device classification and the risk they pose to users. In most cases, an unannounced audit will be concerned with a specific product.
As the name suggests, these "unannounced audits" are unpredictable and take place without prior notice. Typically, auditing organisations present themselves at your premises, and the audited company must provide immediate and unrestricted access to their premises and systems.
Access to your critical sub-contractors and suppliers may also be required by the Notified Body. These will be subject to identical requirements. It should be noted that this right of access will need to be covered in your contracts with these suppliers.
If non-conformities are discovered in the way a product is being designed, manufactured, stored or managed, notified bodies can instruct the manufacturer to correct the problems. The urgency of required action or the triggering of other action will depend on the severity of discovered breaches.
In the US and elsewhere, regulatory audits are conducted by government agencies themselves. In the US this means the FDA, who inspect medical device manufacturers against the standards specified in FDA 21 CFR Part 820. There are four different types of inspections conducted by the FDA:
- Pre-Approval Inspections (PAIs) are conducted when a company applies to the FDA to market a new product. These inspections verify data included in the application, and confirm that the facility is capable of manufacturing the product.
- Routine Inspections are a legal requirement every 2 years for class II and class III device manufacturers (see US classification). They follow a method known as Quality System Inspection Technique (QSIT). If a serious public health risk is identified during this inspection, the inspection may become a “for cause” inspection.
- Compliance Follow-Up Inspections. This type of inspection reviews actions taken by a company following a previous inspection that resulted in significant 483 observations or a Warning Letter being issued.
- “For Cause” Inspections investigate a specific problem that has been reported to FDA. The source of the report can be the manufacturer, consumer complaints, or even a disgruntled employee.
Unannounced FDA audits
Like the EU notified bodies, the FDA can conduct unannounced inspections for which there is no notice given.
The exception to this is if you are based outside the US. In this case, the FDA will give you two to three months notice to allow time for travel and scheduling logistics.
Will opting into the MDSAP (Medical Device Single Audit Program) help with the auditing burden?
The Medical Device Single Audit Program (MDSAP) is an international initiative that can streamline regulatory audits for medical device manufacturers. By participating in the scheme, manufacturers can simultaneously satisfy the requirements of multiple countries, including Australia, Brazil, Canada, Japan, and the U.S.
In the US, the FDA has fully integrated its current inspection process into the MDSAP. This means that MDSAP audits can replace routine FDA inspections for manufacturers that opt into the program, while proving compliance with the regulatory requirements of other major markets at the same time.
It should be noted that neither the UK or the EU are currently participating in the MDSAP scheme, so separate auditing requirements will still apply for access to those markets.
Performing regular internal audits of your quality systems is a requirement common to ISO 13485 and FDA 21 CFR Part 820 but it is also a valuable exercise to ensure documentation and systems are as effective and efficient as possible.
ISO 13485 specifies the need for internal audits as follows:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements
b) is effectively implemented and maintained
The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results
It also requires that:
Records of the audits and their results, including identification of the processes and areas audited and the conclusions, shall be maintained
FDA 21 Part 820, similarly obliges organisations to undertake regular internal audits and be able to demonstrate that they are doing so.
Internal audits can be undertaken by third party consultants on behalf of the organisations, or by people in your organisation (as long as they are not auditing themselves).
What about the new UK regulatory regime?
It should be noted that following Brexit, the UK are operating under a new regulatory regime overseen by the MHRA. Audits will be conducted by UK Certifying Bodies, who will ensure compliance with the new regulations and issue UKCA markings. The deadline for new medical devices and IVDs (In Vitro Diagnostic Devices) to comply with this regulatory requirement is now July 2025. But the MHRA will continue to recognise European CE Markings for an extended transition period for devices that are already on the market. This extended deadline will stretch to 2028-2030 (depending on the type of device you are manufacturing). To find out more read our blog, which spells out the 10 steps you need to take to manage your transition to the UKCA marking.
Audits of all kinds can be times of great stress for organisations. To mitigate the stress, ensure your team formulates a plan for inspection readiness and have the digital tools to respond to them in the most effective way.
Have a procedure available so employees know what to do and how to conduct themselves when investigators or auditors are present at your facility. Most importantly, ensure you can extract information quickly and efficiently from your quality management system to supply answers to questions and documentation on request. A digital Quality Management System is the most efficient and effective way to keep documentation orderly and updated ready for audit. Systems that can structure and publish the latest versions of required technical documentation, such as the DHF, ‘at the touch of a button’ - will help ensure audits and inspections run as smoothly as possible.