Preparing for unannounced audits of medical devices

If you currently have a UKCA or CE-marked medical device on the market via a notified body, you should expect to have an unannounced audit conducted on your company at least every five years. Annex 9 of EU MDR states: “The notified body shall randomly perform, at least once every five years, unannounced audits on the site of the manufacturer and, where appropriate, of the manufacturer's suppliers and/or subcontractors, which may be combined with the periodic surveillance assessment.”

As indicated by the name, unannounced audits are not disclosed to the manufacturer and/or critical suppliers or subcontractors, and occur without any formal prior notice. It is important to note that five years is a minimum and it is not uncommon for notified bodies to do such audits over a three-year cycle, as per their recertification process. Where there is a cause for concern, it could be even sooner.

How to prepare for an unannounced audit

Although you can never predict when unannounced audits will take place, it is important to know what to do when they are conducted. So, how do you do this? 

My recommendation is to have an official procedure in place, either standalone or combined with your current auditing procedures.

In addition, it is important to communicate throughout your company that such audits can take place at any time – and train everyone, so they know what to do when the time comes.
 

"It is important to communicate throughout your company that such audits can take place at any time – and train everyone, so they know what to do when the time comes."

Karandeep Singh Badwal, Director of QRA Medical and an internal auditor for ISO 13485

What happens during an unannounced audit and what should your procedures cover?

You become aware of an unannounced audit when the notified body’s auditors present themselves at your premises. At this point, your company must provide immediate and unrestricted access, as well as a space for them to work. 

Once the auditors arrive, the time allocated for the audit to progress is usually around 30 minutes – beyond this time, you risk failing the audit.

The first thing your procedures should cover is conducting an identity check on the auditors. You can do this by requesting an authentication letter for the auditors upon their arrival, or contact the notified body directly to confirm the authenticity of the audit. Anyone in the company can answer the door to such auditors, so it is important to train everyone in the business on this procedure and not just leave it to the Quality Assurance and Regulatory Affairs (QARA) staff.

Once the authenticity of the audit has been confirmed, allocate a responsible person or persons in the company to assist the auditors with their queries. The unavailability of QARA staff or top management is not an excuse and you risk failing the audit if you cannot provide the relevant records requested by the auditors. 

The overall format of the audit will be similar to that of a scheduled audit.

Another point to cover in your procedures is the unannounced audits of your suppliers and/or subcontractors, where relevant. Include such requirements within any quality agreements you have in place with them.

Conclusion

Being prepared for an unannounced audit is advantageous as, by its nature, you can never truly know when it will occur. It is crucial for all personnel in your company to be aware of what to do when faced with an auditor, as anyone may be approached by them at any time.