Preparing for unannounced audits of medical devices
Progress indicator
ISO 13485 internal auditor Karandeep Singh Badwal, explains what to expect and how to prepare for unannounced audits of companies with a UKCA or CE-marked medical device.
If you currently have a UKCA or CE-marked medical device on the market via a notified body, you should expect to have an unannounced audit conducted on your company at least every five years. Annex 9 of EU MDR states: “The notified body shall randomly perform, at least once every five years, unannounced audits on the site of the manufacturer and, where appropriate, of the manufacturer's suppliers and/or subcontractors, which may be combined with the periodic surveillance assessment.”
As indicated by the name, unannounced audits are not disclosed to the manufacturer and/or critical suppliers or subcontractors, and occur without any formal prior notice. It is important to note that five years is a minimum and it is not uncommon for notified bodies to do such audits over a three-year cycle, as per their recertification process. Where there is a cause for concern, it could be even sooner.
How to prepare for an unannounced audit
Although you can never predict when unannounced audits will take place, it is important to know what to do when they are conducted. So, how do you do this?
My recommendation is to have an official procedure in place, either standalone or combined with your current auditing procedures.
In addition, it is important to communicate throughout your company that such audits can take place at any time – and train everyone, so they know what to do when the time comes.
"It is important to communicate throughout your company that such audits can take place at any time – and train everyone, so they know what to do when the time comes."
What happens during an unannounced audit and what should your procedures cover?
You become aware of an unannounced audit when the notified body’s auditors present themselves at your premises. At this point, your company must provide immediate and unrestricted access, as well as a space for them to work.
Once the auditors arrive, the time allocated for the audit to progress is usually around 30 minutes – beyond this time, you risk failing the audit.
The first thing your procedures should cover is conducting an identity check on the auditors. You can do this by requesting an authentication letter for the auditors upon their arrival, or contact the notified body directly to confirm the authenticity of the audit. Anyone in the company can answer the door to such auditors, so it is important to train everyone in the business on this procedure and not just leave it to the Quality Assurance and Regulatory Affairs (QARA) staff.
Once the authenticity of the audit has been confirmed, allocate a responsible person or persons in the company to assist the auditors with their queries. The unavailability of QARA staff or top management is not an excuse and you risk failing the audit if you cannot provide the relevant records requested by the auditors.
The overall format of the audit will be similar to that of a scheduled audit.
Another point to cover in your procedures is the unannounced audits of your suppliers and/or subcontractors, where relevant. Include such requirements within any quality agreements you have in place with them.
Conclusion
Being prepared for an unannounced audit is advantageous as, by its nature, you can never truly know when it will occur. It is crucial for all personnel in your company to be aware of what to do when faced with an auditor, as anyone may be approached by them at any time.
Read more by Karandeep Singh Badwal
Quality World
Get the latest news, interviews and features on quality in our industry leading magazine.
Find an auditing course
Search our database of global training partners for a certified auditing training course in a location near you.