The Food and Drug Administration (FDA) issued a policy on the Remote Auditing Pilot Program which would be implemented in the course of the Medical Device Single Audit Program (MDSAP). At the moment the new program, which is part of the Device Marketing Authorization and Facility Registration process is voluntary.
FDA: Basics of Remote Auditing
The new FDA program is intended to implement a novel approach to the auditing process allowing individuals to perform the audit in the off-site form. According to the position of the FDA, the new approach would also engage both auditors and organizations subject to the audit to use actively the new technologies and also to implement additional measures aimed at the improvement of communications and information exchange between the parties of the auditing process.
The FDA explicitly emphasizes that the new program will not substitute Stage 1 audits. It will also not affect the calculation of time. The new approach could be applied to the Stage 2 Initial, Surveillance, and Re-certification audits.
According to the information provided by the regulating authority, the initial duration of the new pilot program will be 18 months, while the authority reserves the right to terminate before the expiration of this period.
It is important to mention that the scope of the present pilot program covers only the processes related to the Device Marketing Authorization and Facility Registration, while all other processes actually fall outside of its scope.
The remote auditing itself is defined as “the use of technology to perform a portion of the MDSAP audit of a medical device organization that would normally be performed on-site.
The document determines the spheres of responsibilities of the authorities participating in the remote audit. According to the document, the distribution of responsibilities is the following:
- Auditing organizations should be responsible for the general oversight of audits performed according to the pilot program. In particular, the should assess the compliance with the applicable MDSAP policies and procedures, including the present policy on remote auditing.
- Regulatory authorities should be responsible for the audit reports evaluation. They are also entitled to make recommendations regarding the remote auditing.
Remote Auditing Procedures
The remote auditing process could be divided into several consecutive steps, namely:
- Planning. First of all, the auditing organization and the audited organization should reach the agreement on performing the remote audit in the course of the Device Marketing Authorization and Facility Registration process. The parties of the auditing process should create a plan containing the following elements:
- A statement confirming that the remote auditing will be performed in the course of the DMAFR process,
- A description of the methods and technologies that would be used to perform the audit remotely,
- Details about the auditors intended to perform the audit, and
- Details about the representatives (personnel) of the audited organization participating in the auditing process.
According to the requirements provided in the present policy from the FDA, the remote part of the audit should be performed 10 business days before the on-site part. The remote part should be also performed by the auditor who later will be included in the audit team performing the on-site part.
The Assessment Program Manager should be duly notified about the intent of the parties to perform the remote audit no later than 5 days before the date the remote part of the audit would be performed. The regulatory authorities would also participate in the remote part of the audit.
- Preparation. The authority allows parties to the auditing process to utilize various technological methods, such as video- and teleconferencing, web-based meeting systems, smart glasses or other systems. It is also recommended to use screen-sharing technology. According to the policy, the preparation stage includes the following steps:
- Requesting the information necessary before starting the audit from the manufacturer,
- Checking the operations of technical methods used by the parties. Both auditing organization and audited organization should have free uninterrupted access to the connection system,
- Confirmation of the workspace availability,
- Confirmation of the personnel availability,
- Confirmation of the availability of the documents that would be necessary during the audit,
- Checking the regulatory status of the devices subject to the MDSAP certification.
The FDA recommends parties to take the steps described here-above in advance to have time sufficient to fix all identified errors that could impact the remote auditing process.
- Performing the audit. The remote audit should be performed as close to the on-site audit, as it is reasonably possible.
- Audit report. According to the policy, the date of the on-site audit should be indicated as the audit start date, while the date when the remote audit has been performed should be recorded in the narrative section. At the same time, if the entire auditing process has been performed remotely, the audit start date should be the date when the remote audit has been performed. It is also necessary to indicate that all processes were audited remotely. If a remote audit has been performed in the course of the present pilot program, it is required to indicate the date of the remote audit, the details about the auditors participating in the remote audit, and also the description of the methods used.
According to the general rules, any nonconformity detected in the course of the remote audit should be duly documented in a way it would be documented in case of an on-site audit. The final form provided to the management of the audited organization upon finishing the audit should contain the information regarding all nonconformities detected during both remote and on-site audits.
- Certification. In accordance with the requirements, only manufacturing sites audited in the course of an on-site audit could be included in the certificate issued by the auditing organization. The Agency explicitly states that it is not allowed to include in the certificate the sites that were inspected only during the remote (off-site) audit, even if they are relevant for the manufacturer.
FDA Pilot Program: Further Steps
According to the policy, all parties involved in auditing processes, including both auditing organizations and audited organizations could complete the surveys to express their position. The information collected through such surveys would be used by the authority for the purpose of the further improvement of the program.
To evaluate the effectiveness of the program, the authority would also analyze some of the audit reports related to the remote audits. In particular, the authority would check whether the procedures performed to comply with applicable requirements. The FDA states that in case if more than 75% of the surveys would be positive, and more than 75% of the reports would comply with applicable requirements, the Agency will accelerate further development and implementation of the program.
Summarizing the information provided hereabove, the new approach to auditing creates new opportunities for both auditing organizations and audited medical device manufacturers. Thus, both parties to the process will have to make certain steps towards the actual implementation of the remote auditing to be able to use the benefits it offers.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.