Learn about remote audits under the MDD and MDR, a temporary alternative to in-person audits during the COVID-19 pandemic.
With the incidence rates of COVID-19 skyrocketing in many EU and non-EU countries, it seems that in the following months very few audits will be conducted in person, and since the MDR  implementation date is getting closer and closer, manufacturers have started wondering about what will happen as their old MDD/AIMD certificates start expiring. Many breathed a sigh of relief when the European Commission issued Commission Notice (2021/C8/01) , that will allow remote audits under the MDR. But... Did you know that remote audits can be conducted only under very specific conditions, and that they may require a proactive effort from the manufacturer? In this article we untangle the problematic around remote audits and give you practical advice on how to get yourself audited.
Roadmap to remote audits
Last year, while most of us suffered strict lockdown conditions, the Medical Device Coordination Group (MDCG) published MDCG 2020-4 , a guidance on temporary measures related to Notified Body audits during the COVID-19 pandemic. This was very welcomed by the medical device manufacturers as it contributed to shed light on the global audit problem. Further guidance was provided by the MDCG later on the same year as they published MDCG 2020-17 Questions and Answers related to MDCG 2020-4 .
MDCG 2020-4 clarified in its scope that the guidance was in principle applicable only to audits conducted under the MDD, but left the door open for its applicability under the Regulations if remote audits were allowed at some point in the future. And so, the problem remained unresolved for audits under the MDR, which on the other hand is very clear on the necessity of in-person audits as a compulsory mean of verifying conformity regarding manufacturing and other relevant on-site processes (Annex IX (2.3)). It also establishes the obligation of competent authorities to monitor the Notified Bodies in this task (Article 44(2)) and the punishments to be imposed on any Notified Body that does not fulfil its obligations (Article 46(4)).
The problem grew more and more urgent until this January the European Commission pronounced itself at Commission Notice (2021/C8/01)  effectively permitting remote audits. However, the European Commission’s greenlight does not come without restrictions. More specifically, remote audits are allowed under the following conditions:
1. They are limited in duration, namely any notified body’s decision on certification is limited to the time strictly necessary to allow for a proper on-site audit to take place as soon as possible.
2. They are identified and justified on a case-by-case basis, and the individual circumstances should be documented and duly substantiated by the notified body.
3. They shall not go beyond what is required to ensure continuous availability of safe and performant devices, when concrete obstacles to complete conformity assessments on-site have been created by COVID-19 circumstances.
In practice, this means that although technically possible, remote audit requests are individually resolved by the Notified Bodies and are therefore subjected to each individual Member State’s position towards them.
How do I convince my Notified Body to have my company remotely audited?
Notified Bodies will assess the applicability of the extraordinary measures made available by the European Commission on a case-by-case basis using a risk-based approach. To put it in other words, you need to show to your notified body that a remote audit does not pose a significant risk in your specific case.
In order to do that, you need to stay proactive and reach out to your Notified Body to clarify their position on the matter. Preparing a document giving reasons that help tip the scales to your side is likely to be your best strategy.
These reasons may include:
→ A positive audit history with your current Notified Body.
→ Your device is considered clinically necessary during the period of COVID-19 restrictions. The European Commission published a list of essential Medical Devices .
→ Disposition to carry out an audit on your premises as soon as possible.
→ Evidence indicating that the company is well-prepared for being remotely audited. In some cases, it may be necessary to formalise agreements between the two parties as to the consent to use personal data, individual images and recording.
→ Evidence of the impossibility of the in-person visit.
Along with this, you should be ready to provide your Notified Body with files regarding status and operations related to the audit in question, so they can adequately assess the suitability of a remote audit in your specific case. However, you should note that in any case the final decision depends on your Notified Body and in the last instance, on the correspondent Competent Authority’s position towards remote audits.
If you have convinced your Notified Body and managed to fix a date for the audit for the first time, you may feel a bit lost. Colombian writer Gabriel García Márquez used to say that wisdom comes to us when it can no longer do any good, but, luckily enough, in our next article we will analyse the experience gathered so far by the Notified Bodies during audits under the MDD, in order to give you practical advice for successfully passing a remote audit and also to devise the future of remote audits.
Following soon “Audits in the time of Covid-19 Part 2”. Do not hesitate to contact us for further support at email@example.com.
Unique Device Identification (UDI) systems are arising worldwide, and understanding similarities and differences between them is key to be able to meet the requirements for each specific country or region.