The Medical Device Coordination Group (MDCG) issued guidance on audits and conformity assessment procedures to be carried on by the notified bodies in the context of the outbreak of Coronavirus Disease 2019 (COVID-19) caused by the virus “SARS-CoV-2” or the “novel coronavirus”. The document enters into force immediately and remains effective during the whole period of pandemic declared earlier this year by the World Health Organization.
Regulatory Background from the MDCG
The new guidance issued by the MDCG is intended to assist notified bodies (eligible entities designated by the national regulating authority to conduct pre-market applications review and conformity assessment of medical devices) in maintaining operations during quarantine orders and additional travel restrictions. These restrictions have been imposed to prevent spreading the infection which can detrimentally affect their ability to perform on-site audits in the manner prescribed by applicable regulation. The document is dedicated to special temporary measures to be implemented by the notified bodies to ensure public health protection and the safety of medical devices available on the market. At the same time, it is also important to prevent shortages in the supply of critical medical devices to healthcare facilities, so the proper balance should be found between the protection of patients` health and avoiding unnecessary regulatory burden on medical device manufacturers. The new guidance describes the conditions under which the remote audits could be conducted instead of on-site audits in accordance with the applicable Medical Devices Directives.
The scope of the guidance covers the following types of audits to be carried out by the notified bodies:
- Surveillance audits carried out in accordance with applicable regulations,
- Re-certification audits,
- On-site inspections or verifications to be performed when the manufacturer files a notification on changes,
- Audits to be performed when changing the notified body (since the manufacturer may terminate the agreement with the notified body and enter into a new one with another notified body) responsible for conformity assessment of the same medical devices.
The present guidance from the MDCG is based on the Medical Devices Directive 93/42/EEC (MDD), Active Implantable Medical Devices Directive 90/385/EEC (AIMDD) and the In Vitro Diagnostic Medical Devices Directive 98/79/EC (IVDD) still remaining in force. At the same time, the general principles set forth by the guidance would be also applicable later when the new Medical Devices Regulation 2017/745 (MDR) and the In Vitro Diagnostic devices Regulation 2017/746 (IVDR) would enter into effect. Due to the COVID-19 outbreak, the European Commission proposed to postpone the implementation of the Regulation 2017/745 for an additional year.
The MDCG additionally states that the measures introduced by the guidance should not be applied to certain types of audits, namely:
- Unannounced audits,
- Special audits requiring on-site inspection (e.g. related to the corrective actions to be taken by the manufacturer).
According to guidance from the MDCG, the initial certification audits, as well as audits related to the extension of the scope of certification should be performed as prescribed by the general rules without applying the extraordinary measures. The notified body should decide on applying extraordinary measures depending on the particular situation on a case-by-case basis.
Proposed Alternative Measures
In accordance with the document from the MDCG, notified bodies are entitled to implement alternative extraordinary measures instead of on-site inspections (audits) temporarily during the COVID-19 outbreak. All such measures should be duly documented by the appropriate notified body, including the indication of the particular criteria. It is required to document the procedures and technologies used, and also to describe the impact of such measures on the duration of an audit carried out by the notified body.
The MDCG suggests the following alternative measure to be introduced:
- To postpone on-site inspections in accordance with the rules and procedures related to the impact that could be neither foreseen nor prevented (force majeure concept).
- To carry out remote audits instead of on-site inspections with the help of novel technologies, providing that all necessary security measures are being properly implemented to protect data and information transmitted.
- To perform off-site conformity assessments of the appropriate documents and/or records.
- To use as the evidence the audit reports obtained in the course of the appropriate MDSAP procedures instead of carrying out additional audits.
The MDCG stated that when making a decision on the implementation of the alternative extraordinary measures, the notified body should rigorously assess this possibility and duly document them when applied. The MDCG additionally emphasizes taking into consideration the history of non-compliances for each particular manufacturer. If the manufacturer subject to audit had a significant number of non-compliances, the notified body shall consider the possibility to supplement the remote audit with the additional on-site inspection conducted upon cancellation of the quarantine restrictions.
The decision from the MDCG on the particular extraordinary measures to be applied should also be based on available information about the operations of the manufacturer including the details about the processes performed on the manufacturing sites subject to the audit, the quality management system (QMS) employed by the manufacturer, and also on the non-compliances and other issues identified during previous audits. If the audit cannot be postponed till the cancelation of the quarantine restrictions, the notified body should consider the possibility of applying alternative extraordinary measures, such as carrying out the remote audit or off-site review of the documents.
The off-site remote audit should be performed using information and communication technologies that are suitable for both the manufacturer and the notified body. When applying such measures, it is important to ensure the highest level of data protection regarding intellectual property by employing sufficient cybersecurity measures. All technical aspects should be checked in advance before commencing the audit procedure, which should also be properly documented by the notified body. At the same time, the representatives of the national regulating authority are also allowed to participate in remote audits as observers to witness the compliance of the procedure with applicable requirements.
The remote audit should be carried out in accordance with the audit plan developed by the notified body and agreed upon in advance with the manufacturer in question. The audit plan should cover such aspects as the duration of the audit, the alternative extraordinary measures to be applied and the description of the audit’s part to be carried out remotely. The same information should also be indicated in the audit report. The audit carried out remotely should include the off-site review of the documents. The audit plan should be adjusted on a case-by-case basis depending on the specifics of the particular manufacturer and the manufacturing sites subject to the audit.
If the remote audit is to be performed for the purpose of re-certification, its scope should include all aspects required by the applicable regulations. Those mandatory tasks, that could not be assessed in the course of the remote audit, should be additionally assessed upon cancellation of the quarantine restrictions. At the same time, the postponing of on-site inspection should not prevent the notified body from re-issuing a certification indicating that necessary audits would be performed at the earliest opportunity.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.