Making the Unexpected Expected: A Founders’ Guide to Unannounced Audits

What are unannounced audits and how should you prepare for them?

As the medical devices industry continues to evolve, ensuring compliance with regulatory standards and maintaining product quality is of utmost importance. External audits - that is, audits conducted by regulatory authorities and by potential or actual customers - play a vital role in assessing a company's conformity to regulatory standards and verifying the effectiveness of its quality management systems. 

If you currently have a UKCA or CE marked medical device on the market through a UK Approved Body (UKAB) or an EU Notified Body (NB), you should anticipate unannounced audits to be conducted on your organisation, and in some cases on your suppliers or subcontractors. 

Why? It stems from an EU Commission recommendation made in 2013; this recommendation was made as part of tightening controls on medical devices in the EU following the PIP Breast Implant scandal, news of which broke in 2010. 

Fast forward to the present day: according to Annex IX of the EU Medical Device Regulation (MDR) and the EU In Vitro Diagnostic Medical Device Regulation (IVDR), these audits occur at least every five years; the post-Brexit UK Medical Device Regulation, pertaining to UKCA marked medical devices rather than CE marked ones, currently only mentions unannounced audits in one context, but we can be reasonably certain that in the future the UK’s unannounced audit requirement will catch-up with the EU’s. Also, unannounced audits may be conducted more frequently based on the recertification process, risk level or if there are causes for concern.

To turn this surprise into a smooth process, it's crucial to have an official procedure in place – this can be either a standalone protocol or integrated into existing auditing procedures, which outline the necessary steps to take when an audit occurs. Everyone in your organisation needs to know about the possibility of unannounced audits and have had training to ensure preparedness when the time comes.

The process

During an unannounced audit, auditors will arrive at your premises – or the premises of your suppliers and subcontractors – without prior notice. Your organisation must grant immediate and unrestricted access, along with providing a suitable workspace. Typically, auditors allocate around 30 minutes for the audit to progress, so promptness is essential to avoid failing at the first hurdle.

The first point of the procedure is conducting an identity check on the auditors by requesting an authentication letter upon arrival or confirming the audit's authenticity with the UKAB or EU NB. There is no VIP list when it comes to unannounced audits. Anyone in the organisation can answer the door to auditors, hence it is critical all staff are trained on this procedure and that it is not just left to the QARA staff.

Note that it is also not beyond the bounds of possibility that a social engineering attack on your organisation, where others attempt to obtain confidential information, might take the form of a bogus unannounced audit, again leading to the need to train your staff in how to respond.

Once the authenticity of the audit has been confirmed, a responsible person or persons in your organisation should be allocated to help assist the auditors with their queries, and a conference room booked out for the day in which to base the auditors. You should also nominate designees in case QARA staff or top management are not available (on holiday, off sick, etc.). Staff being out of office is not an excuse and you risk failing the audit if you cannot provide the relevant records requested by the auditors. Overall, the format of the audit will be similar to that of a scheduled audit albeit of one that had no prior notification.

Another point to cover in your procedure is the unannounced audits of your organisation’s suppliers and/or subcontractors where deemed relevant, also include such requirements within any quality and commercial agreements you have in place with them.

Ambiguities for Software as a Medical Device manufacturers, particularly those working fully or predominantly remotely

The situation for remote working companies, even in post-pandemic 2023, remains unclear.  The Code of Conduct for EU Notified Bodies, which was last updated in 2019 (version 4.0), suggests that unannounced audits are based on traceability:

• Selection of one or more catalogue numbers (individual device types) attached to a declaration of conformity, linked to a valid CE certificate.

• Selection of a random recent batch or lot from those catalogue numbers

• Requesting for those batches or lots the relevant documentation covering the full process from incoming raw materials and components till final release (Batch or lot history records, manufacturing traveller, bills of materials, etc).

If we use our imagination to translate that traceability concept into Software as a Medical Device terms:

• Individual app(s), that are under a Declaration of Conformity, should be selected for audit

• Random recent software releases should be considered

• The documentation should cover:

• Feature requests and problem reports that are considered for a release

• The change control for the release, including change impact analysis covering:

• What requirements and consequent risk analysis need to be updated

• What to reverify, revalidate or recertify and therefore whether the Notified Body should have been consulted

• How Universal Device Identification (UDI) needs to change depending on the extent of the software change

• The finalisation of change controls, including verification, validation and design review reporting followed by controlled release to production

• Software upload to production servers, including app stores

• Instructions for Use (IFU) revision, if applicable, on websites etc.

This makes it mandatory on manufacturers to maintain conformity with their documented change control processes. It does not address how a fully remotely working company will be approached though - there is no concept yet in the regulations of a fully remote working company, the expectation being that all medical device manufacturers will have some sort of physical premises.  

Finally, on unannounced audits for software, consider the quality agreement you have in place with your outsourced/ offshore software development house - how you have allowed for unannounced audits of your development house as part of the processes you specify through the quality agreement. 

In the words of the abovementioned Code of Conduct “In case the manufacturer has subcontracted one or more critical parts of manufacture either to own manufacturing locations or to suppliers and they are regarded significant for the safety and performance of the device under review, then the Notified Body needs to determine whether those sites need to be audited as part of the unannounced audit.”.

The dress rehearsal: the benefits of mock audits

For startups or organisations new to the medical devices industry, the prospect of an external audit can be overwhelming. However, mock audits provide a valuable dress rehearsal to proactively address concerns and better prepare for official audits.

1. Acclimatising to the audit environment

Mock audits simulate the actual audit scenario, one of the primary outcomes is the opportunity for your team to become familiar with the audit techniques and types of inquiries likely to be encountered. Experienced auditors pose questions and evaluate responses, enabling staff in your organisation to gain invaluable experience in navigating the audit process effectively.

Practising articulating responses under pressure helps develop the ability to present answers confidently – ensuring clear and convincing communication of your company's practices, procedures, and records.

2. Identifying gaps and improving record-keeping practices

Auditors will typically request specific documents and records during an audit, it is vital to know which records to present and how to organise them efficiently. Mock audits facilitate this documentation process, ensuring easy accessibility to the required information, therefore  reducing your risk of non-compliance.

3. Cultivating a Culture of Continuous Improvement

Engaging in mock audits encourages a culture of continuous improvement and vigilance within your organisation. By immersing your team in a simulated environment, they develop an enhanced awareness of compliance requirements and the importance of meticulous record-keeping. Meaning you can refine processes, identify potential gaps, and implement robust corrective measures.

In the ever-evolving landscape of the medical devices industry, external audits are an essential component of ensuring compliance and maintaining the trust of stakeholders, be they the regulatory authorities, your investors or customers.

By embracing the concept of the mock audit, you empower your team to navigate the audit process with confidence and precision. 

At Hardian Health, we encourage you to invest in this invaluable training tool, enabling your staff  to master the art of audit technique, cultivate a culture of preparedness and drive continuous improvement. 

Remember, preparation is the key to success!

Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical strategy, scientific validation, regulation, health economics and intellectual property.